API ID: frapi:openam
API Version: 1.0
Paths
/applications
1.0
Service for manipulating Applications. It supports the CRUDQ operations.
Create
Creates a new Application in a realm
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * The header "Content-Type"="application/json" is missing in the request * "applicationType" or "name" properties are missing in the json of the application to be created. |
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Conflict error. The cause can be the following: The application to be created already exists. |
Query by Filter
Lists all the Applications in a realm
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
2.1
Service for manipulating Applications. It supports the CRUDQ operations.
Create
Creates a new Application in a realm
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * The header "Content-Type"="application/json" is missing in the request * "applicationType" or "name" properties are missing in the json of the application to be created. |
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Conflict error. The cause can be the following: The application to be created already exists. |
Query by Filter
Lists all the Applications in a realm
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
/applications/{applicationName}
1.0
Service for manipulating Applications. It supports the CRUDQ operations.
Create
Creates a new Application in a realm
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * The header "Content-Type"="application/json" is missing in the request * "applicationType" or "name" properties are missing in the json of the application to be created. |
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Conflict error. The cause can be the following: The application to be created already exists. |
Read
Reads an individual Application in a realm specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Not found error. The cause can be the following: Either application or realm does not exist. |
Update
Updates an individual Application in a realm specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * The header "Content-Type"="application/json" is missing in the request * Application name specified in URL does not match application name specified in JSON. |
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Forbidden error. The cause can be the following: The user has insufficient privileges. |
|
Not found error. The cause can be the following: Either application or realm does not exist. |
Delete
Deletes an individual Application in a realm specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Not found error. The cause can be the following: Either application or realm does not exist. |
2.1
Service for manipulating Applications. It supports the CRUDQ operations.
Create
Creates a new Application in a realm
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * The header "Content-Type"="application/json" is missing in the request * "applicationType" or "name" properties are missing in the json of the application to be created. |
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Conflict error. The cause can be the following: The application to be created already exists. |
Read
Reads an individual Application in a realm specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Not found error. The cause can be the following: Either application or realm does not exist. |
Update
Updates an individual Application in a realm specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * The header "Content-Type"="application/json" is missing in the request * Application name specified in URL does not match application name specified in JSON. |
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Forbidden error. The cause can be the following: The user has insufficient privileges. |
|
Not found error. The cause can be the following: Either application or realm does not exist. |
Delete
Deletes an individual Application in a realm specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application name |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application schema",
"type" : "object",
"title" : "Application",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Unique application identifier."
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "When defined, it is displayed in the UI instead of application name."
},
"description" : {
"type" : "string",
"title" : "Description",
"description" : "String describing the application."
},
"applicationType" : {
"type" : "string",
"title" : "Application type",
"description" : "Name of the application type used as a template for the policy set."
},
"conditions" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Conditions",
"description" : "Condition types allowed in the context of the policy set."
}
},
"subjects" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Subjects",
"description" : "Subject types allowed in the context of the policy set."
}
},
"resourceTypeUuids" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Resource type uuids",
"description" : "A list of the UUIDs of the resource types associated with the policy set."
}
},
"entitlementCombiner" : {
"type" : "string",
"title" : "Entitlement combiner",
"description" : "Name of the decision combiner, such as \"DenyOverride\"."
},
"searchIndex" : {
"type" : "string",
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
},
"saveIndex" : {
"type" : "string",
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
},
"resourceComparator" : {
"type" : "string",
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
},
"attributeNames" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Attribute names",
"description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
}
},
"createdBy" : {
"type" : "string",
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the application."
},
"lastModifiedBy" : {
"type" : "string",
"title" : "Last modified by",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
},
"creationDate" : {
"type" : "integer",
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
},
"lastModifiedDate" : {
"type" : "integer",
"title" : "Last modified date",
"description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
},
"editable" : {
"type" : "boolean",
"title" : "Editable",
"description" : "It indicates if application is editable."
}
},
"required" : [ "name", "applicationType" ]
}
| Code | Description |
|---|---|
|
Unauthorized error. The cause can be the following: The SSO header is missing in the request or user token is not valid. |
|
Not found error. The cause can be the following: Either application or realm does not exist. |
/applicationtypes
1.0
Service for reading and listing the available application types. Application types act as templates for policy sets, and define how to compare resources and index policies. OpenAM provides a default application type that represents web resources called iPlanetAMWebAgentService
Query by Filter
Lists the application types using a query filter
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application types schema",
"type" : "object",
"title" : "Application types schema",
"properties" : {
"name" : {
"title" : "Name",
"description" : "The name provided for the application type",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed",
"additionalProperties" : {
"type" : "boolean"
}
},
"resourceComparator" : {
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of this application type\nThe following implementations are available:\n* \"com.sun.identity.entitlement.ExactMatchResourceName\"\n* \"com.sun.identity.entitlement.PrefixResourceName\"\n* \"com.sun.identity.entitlement.RegExResourceName\"\n* \"com.sun.identity.entitlement.URLResourceName\"",
"type" : "string"
},
"saveIndex" : {
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names",
"type" : "string"
},
"searchIndex" : {
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names",
"type" : "string"
},
"applicationClassName" : {
"title" : "Application class name",
"description" : "Class name of the application type implementation, such as \"com.sun.identity.entitlement.Application\"",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Internal server error. Unknown Subject |
/applicationtypes/{resourceId}
1.0
Service for reading and listing the available application types. Application types act as templates for policy sets, and define how to compare resources and index policies. OpenAM provides a default application type that represents web resources called iPlanetAMWebAgentService
Read
Reads an individual application type by the provided application type name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Application type name unique identifier |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Application types schema",
"type" : "object",
"title" : "Application types schema",
"properties" : {
"name" : {
"title" : "Name",
"description" : "The name provided for the application type",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed",
"additionalProperties" : {
"type" : "boolean"
}
},
"resourceComparator" : {
"title" : "Resource comparator",
"description" : "Class name of the resource comparator implementation used in the context of this application type\nThe following implementations are available:\n* \"com.sun.identity.entitlement.ExactMatchResourceName\"\n* \"com.sun.identity.entitlement.PrefixResourceName\"\n* \"com.sun.identity.entitlement.RegExResourceName\"\n* \"com.sun.identity.entitlement.URLResourceName\"",
"type" : "string"
},
"saveIndex" : {
"title" : "Save index",
"description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names",
"type" : "string"
},
"searchIndex" : {
"title" : "Search index",
"description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names",
"type" : "string"
},
"applicationClassName" : {
"title" : "Application class name",
"description" : "Class name of the application type implementation, such as \"com.sun.identity.entitlement.Application\"",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Internal server error. Unknown Subject |
/conditiontypes
1.0
Service for querying and reading the environment condition types stored in OpenAM. Environment condition types describe the JSON representation of environment conditions that you can use in policy definitions
Query by Filter
Query the list of environment condition types
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Condition types schema",
"title" : "Condition types schema",
"type" : "object",
"properties" : {
"title" : {
"title" : "Title",
"description" : "The title and also the unique identifier of the environment conditional type",
"type" : "string"
},
"logical" : {
"title" : "Logical",
"description" : "Indicates whether the type is a logical operator or takes a predicate, and a configuration specification",
"type" : "boolean"
},
"config" : {
"title" : "Configuration",
"description" : "The configuration specification that describes the condition type's Json schema",
"type" : "object"
}
}
}
/conditiontypes/{resourceId}
1.0
Service for querying and reading the environment condition types stored in OpenAM. Environment condition types describe the JSON representation of environment conditions that you can use in policy definitions
Read
Read an individual environment condition type by providing the unique identifier title
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier title of environment condition type |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Condition types schema",
"title" : "Condition types schema",
"type" : "object",
"properties" : {
"title" : {
"title" : "Title",
"description" : "The title and also the unique identifier of the environment conditional type",
"type" : "string"
},
"logical" : {
"title" : "Logical",
"description" : "Indicates whether the type is a logical operator or takes a predicate, and a configuration specification",
"type" : "boolean"
},
"config" : {
"title" : "Configuration",
"description" : "The configuration specification that describes the condition type's Json schema",
"type" : "object"
}
}
}
| Code | Description |
|---|---|
|
Not found error. Requested condition short name not found |
/dashboard
1.0
The dashboard service is responsible for returning information from the Dashboard. The only supported operation is read.
/dashboard/{designation}
1.0
The dashboard service is responsible for returning information from the Dashboard. The only supported operation is read.
Read
Read dashboard information
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The dashboard application designation. |
✓ |
|
|
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Dashboard resource properties",
"description" : "List of dashboard resources",
"properties" : {
"dashboardIcon" : {
"title" : "Dashboard icon",
"description" : "Dashboard icon filename",
"type" : "array",
"items" : {
"type" : "string"
}
},
"dashboardName" : {
"type" : "array",
"title" : "Dashboard name",
"description" : "Name of the dashboard",
"items" : {
"type" : "string"
}
},
"dashboardLogin" : {
"type" : "array",
"title" : "Dashboard login url",
"description" : "Url to login to the dashboard",
"items" : {
"type" : "string"
}
},
"ICFIdentifier" : {
"type" : "array",
"title" : "ICF identifier",
"description" : "Identity connection framework identifier",
"items" : {
"type" : "string"
}
},
"dashboardDisplayName" : {
"type" : "array",
"title" : "Display name",
"description" : "Name displayed on the dashboard",
"items" : {
"type" : "string"
}
},
"dashboardClassName" : {
"type" : "array",
"title" : "Class name",
"description" : "Dashboard class name",
"items" : {
"type" : "string"
}
}
}
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Dashboard resource schema",
"type" : "object",
"title" : "Dashboard resource schema"
}
/decisioncombiners
1.0
Service for querying and reading decision combiners information. Decision combiners describe how to resolve policy decisions when multiple policies apply
Query by Filter
Lists all decision combiners
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Decision combiner schema",
"title" : "Decision combiner schema",
"type" : "object",
"properties" : {
"title" : {
"title" : "Title",
"description" : "Decision combiner title",
"type" : "string"
}
}
}
/decisioncombiners/{resourceId}
1.0
Service for querying and reading decision combiners information. Decision combiners describe how to resolve policy decisions when multiple policies apply
Read
Reads an individual decision combiner specified by its name
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Decision combiner name unique identifier |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Decision combiner schema",
"title" : "Decision combiner schema",
"type" : "object",
"properties" : {
"title" : {
"title" : "Title",
"description" : "Decision combiner title",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Not found error. Requested combiner short name not found |
/global-audit/{topic}
1.0
Audit events are logged through the global audit service.
Create
Create a new audit event, which will be handled and logged by the configured audit service.
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.",
"title" : "Audit event schema",
"type" : "object",
"properties" : {
"_id" : {
"title" : "ID",
"description" : "The ID of the event, used by all topics",
"type" : "string"
},
"timestamp" : {
"title" : "Timestamp",
"description" : "The time at which the event occurred, used by all topics",
"type" : "string"
},
"eventName" : {
"title" : "Event name",
"description" : "The name of the event, used by all topics",
"type" : "string"
},
"transactionId" : {
"title" : "Transaction ID",
"description" : "The transaction ID of the event, used by all topics",
"type" : "string"
},
"userId" : {
"title" : "User ID",
"description" : "The ID of the user responsible for the event, used by all topics",
"type" : "string"
},
"trackingIds" : {
"title" : "Tracking IDs",
"description" : "The tracking IDs of the event, used by all topics",
"type" : "array",
"items" : {
"id" : "0",
"type" : "string"
}
},
"component" : {
"title" : "Component",
"description" : "The component responsible for the event, used by all topics",
"type" : "string"
},
"realm" : {
"title" : "Realm",
"description" : "The realm in which the event occurred, used by all topics",
"type" : "string"
},
"server" : {
"title" : "Server",
"description" : "The server details for an access event",
"type" : "object",
"properties" : {
"ip" : {
"title" : "Server IP address",
"description" : "The server ip address for an access event",
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "The server port for an access event",
"type" : "integer"
}
}
},
"client" : {
"title" : "Client",
"description" : "The client details for an access event",
"type" : "object",
"properties" : {
"ip" : {
"title" : "Client IP address",
"description" : "The client IP address for an access event",
"type" : "string"
},
"port" : {
"title" : "Client port",
"description" : "The client port for an access event",
"type" : "integer"
}
}
},
"request" : {
"title" : "Request",
"description" : "The request details for an access event",
"type" : "object",
"properties" : {
"protocol" : {
"title" : "Request protocol",
"description" : "The request protocol for an access event",
"type" : "string"
},
"operation" : {
"title" : "Request operation",
"description" : "The request operation for an access event",
"type" : "string"
},
"detail" : {
"title" : "Request detail",
"description" : "The request detail for an access event",
"type" : "object"
}
}
},
"http" : {
"title" : "Http details",
"description" : "The Http details for an access event",
"type" : "object",
"properties" : {
"request" : {
"title" : "Http request",
"description" : "The http request for an access event",
"type" : "object",
"properties" : {
"secure" : {
"title" : "Http secure",
"description" : "The http secure property for an access event",
"type" : "boolean"
},
"method" : {
"title" : "Http method",
"description" : "The http method for an access event",
"type" : "string"
},
"path" : {
"title" : "Http path",
"description" : "The http path for an access event",
"type" : "string"
},
"queryParameters" : {
"title" : "Http query parameters",
"description" : "The http query parameters for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"headers" : {
"title" : "Http headers",
"description" : "The http headers for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"cookies" : {
"title" : "Http cookies",
"description" : "The http cookies for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"response" : {
"title" : "Http response",
"description" : "The http response for an access event",
"type" : "object",
"properties" : {
"headers" : {
"title" : "Http request headers",
"description" : "The http request headers for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
},
"response" : {
"title" : "Response",
"description" : "The response details for an access event",
"type" : "object",
"properties" : {
"status" : {
"title" : "Response status",
"description" : "The response status for an access event",
"type" : "string"
},
"statusCode" : {
"title" : "Response status code",
"description" : "The response status code for an access event",
"type" : "string"
},
"detail" : {
"title" : "Response detail",
"description" : "The response detail for an access event",
"type" : "object"
},
"elapsedTime" : {
"title" : "Response elapsed time",
"description" : "The response elapsedTime for an access event",
"type" : "integer"
},
"elapsedTimeUnits" : {
"title" : "Response elapsed time units",
"description" : "The response elapsed time units for an access event",
"type" : "string"
}
}
},
"runAs" : {
"title" : "Run as",
"description" : "What the change that triggered an activity or config event was run as",
"type" : "string"
},
"objectId" : {
"title" : "Object ID",
"description" : "The object ID of the change that triggered an activity or config event",
"type" : "string"
},
"operation" : {
"title" : "Operation",
"description" : "The operation that triggered an activity or config event",
"type" : "string"
},
"before" : {
"title" : "Before state",
"description" : "The state before an activity or config event occurred",
"type" : "object"
},
"after" : {
"title" : "After state",
"description" : "The state after an activity or config event occurred",
"type" : "object"
},
"changedFields" : {
"title" : "Changed fields",
"description" : "The changed fields after an activity or config event occurred",
"type" : "array",
"items" : {
"id" : "1",
"type" : "string"
}
},
"revision" : {
"title" : "Revision",
"description" : "The revision for an activity or config event",
"type" : "string"
},
"result" : {
"title" : "Result",
"description" : "The result of the authentication event",
"type" : "string"
},
"principal" : {
"title" : "Principal",
"description" : "The principal responsible for the authentication event",
"type" : "array",
"items" : {
"type" : "string"
}
},
"context" : {
"title" : "Context",
"description" : "The context of an authentication event",
"type" : "object"
},
"entries" : {
"title" : "Entries",
"description" : "The entries for an authentication event",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"moduleId" : {
"title" : "Module ID",
"description" : "The module ID for the authentication event",
"type" : "string"
},
"result" : {
"title" : "Module result",
"description" : "The result of the module authentication event",
"type" : "string"
},
"info" : {
"title" : "Entries information",
"description" : "The entries information for an authentication event",
"type" : "object"
}
}
}
}
},
"required" : [ "transactionId", "timestamp" ]
}
/global-config/agents
1.0
Global and default configuration for agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/agents/AgentService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapConnectionPoolDefaultSize" : {
"title" : "Default LDAP Connection Pool Size",
"description" : "The default connection pool size; format is: mininum:maximum",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"keepPostProcessInstances" : {
"title" : "Keep Post Process Objects for Logout Processing",
"description" : "Store Post Processing Classes for the duration of the session.<br><br>Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. When the user logs out the original instances of the post processing classes will be called instead of new instances. This may be needed for special logout processing.<br/><br/><i>NB </i>Enabling this setting will increase the memory usage of OpenAM.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"ldapConnectionPoolSize" : {
"title" : "LDAP Connection Pool Size",
"description" : "Controls the size of the LDAP connection pool used for authentication<br><br>Control the size of the connection pool to the LDAP directory server used by any of the authentication modules that use LDAP directly such as LDAP or Active Directory.Different OpenAM servers can be configured with different connection pool settings.<br/><br/>Format: host:port:minimum:maximum",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteAuthSecurityEnabled" : {
"title" : "Remote Auth Security",
"description" : "OpenAM requires authentication client to authenticate itself before authenticating users.<br><br>When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users. ",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"authenticators" : {
"title" : "Pluggable Authentication Module Classes",
"description" : "List of configured authentication modules<br><br>The list of configured authentication modules available to OpenAM. All modules must extend from the <code>com.sun.identity.authentication.spi.AMLoginModule</code> class.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaults" : {
"properties" : {
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 3,
"properties" : {
"userStatusCallbackPlugins" : {
"title" : "Pluggable User Status Event Classes",
"description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
"propertyOrder" : 2600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultAuthLevel" : {
"title" : "Default Authentication Level",
"description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"locale" : {
"title" : "Default Authentication Locale",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"statelessSessionsEnabled" : {
"title" : "Use Client-based Sessions",
"description" : "Enables client-based sessions.<br><br>Client-based sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"identityType" : {
"title" : "Identity Types",
"propertyOrder" : 2500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"twoFactorRequired" : {
"title" : "Two Factor Authentication Mandatory",
"description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.",
"propertyOrder" : 3900,
"required" : true,
"type" : "boolean"
}
}
},
"accountlockout" : {
"type" : "object",
"title" : "Account Lockout",
"propertyOrder" : 2,
"properties" : {
"lockoutAttributeName" : {
"title" : "Lockout Attribute Name",
"description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"invalidAttemptsDataAttributeName" : {
"title" : "Invalid Attempts Data Attribute Name",
"description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"lockoutWarnUserCount" : {
"title" : "Warn User After N Failures",
"description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"loginFailureLockoutMode" : {
"title" : "Login Failure Lockout Mode",
"description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"storeInvalidAttemptsInDataStore" : {
"title" : "Store Invalid Attempts in Data Store",
"description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"loginFailureDuration" : {
"title" : "Login Failure Lockout Interval",
"description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"loginFailureCount" : {
"title" : "Login Failure Lockout Count",
"description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"lockoutEmailAddress" : {
"title" : "Email Address to Send Lockout Notification",
"description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"lockoutAttributeValue" : {
"title" : "Lockout Attribute Value",
"description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"lockoutDuration" : {
"title" : "Login Failure Lockout Duration",
"description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"lockoutDurationMultiplier" : {
"title" : "Lockout Duration Multiplier",
"description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"postauthprocess" : {
"type" : "object",
"title" : "Post Authentication Processing",
"propertyOrder" : 6,
"properties" : {
"loginSuccessUrl" : {
"title" : "Default Success Login URL",
"description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorClass" : {
"title" : "Pluggable User Name Generator Class",
"description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
"propertyOrder" : 2000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Default Failure Login URL ",
"description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userAttributeSessionMapping" : {
"title" : "User Attribute Mapping to Session Attribute",
"description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
"propertyOrder" : 3000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorEnabled" : {
"title" : "Generate UserID Mode",
"description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
}
}
},
"trees" : {
"type" : "object",
"title" : "Trees",
"propertyOrder" : 4,
"properties" : {
"authenticationSessionsStateManagement" : {
"title" : "Authentication session state management scheme",
"description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and blacklisting use the options in the Client-based Sessions section of the Sessions global service.</em>",
"propertyOrder" : 3850,
"required" : true,
"type" : "string"
},
"authenticationSessionsWhitelist" : {
"title" : "Enable whitelisting",
"description" : "Enables explicit whitelisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.",
"propertyOrder" : 3860,
"required" : true,
"type" : "boolean"
},
"authenticationSessionsMaxDuration" : {
"title" : "Max duration (minutes)",
"description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.",
"propertyOrder" : 3860,
"required" : true,
"type" : "integer"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : -1,
"properties" : {
"adminAuthModule" : {
"title" : "Administrator Authentication Configuration",
"description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"orgConfig" : {
"title" : "Organization Authentication Configuration",
"description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"security" : {
"type" : "object",
"title" : "Security",
"propertyOrder" : 5,
"properties" : {
"zeroPageLoginReferrerWhiteList" : {
"title" : "Zero Page Login Referer Whitelist",
"description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
"propertyOrder" : 3600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"zeroPageLoginEnabled" : {
"title" : "Zero Page Login",
"description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
"propertyOrder" : 3400,
"required" : true,
"type" : "boolean"
},
"moduleBasedAuthEnabled" : {
"title" : "Module Based Authentication",
"description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"keyAlias" : {
"title" : "Persistent Cookie Encryption Certificate Alias",
"description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"zeroPageLoginAllowedWithoutReferrer" : {
"title" : "Zero Page Login Allowed without Referer?",
"description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"sharedSecret" : {
"title" : "Organization Authentication Signing Secret",
"description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"userprofile" : {
"type" : "object",
"title" : "User Profile",
"propertyOrder" : 0,
"properties" : {
"aliasAttributeName" : {
"title" : "Alias Search Attribute Name",
"description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"dynamicProfileCreation" : {
"title" : "User Profile",
"description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"defaultRole" : {
"title" : "User Profile Dynamic Creation Default Roles",
"description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapConnectionPoolDefaultSize" : {
"title" : "Default LDAP Connection Pool Size",
"description" : "The default connection pool size; format is: mininum:maximum",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"keepPostProcessInstances" : {
"title" : "Keep Post Process Objects for Logout Processing",
"description" : "Store Post Processing Classes for the duration of the session.<br><br>Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. When the user logs out the original instances of the post processing classes will be called instead of new instances. This may be needed for special logout processing.<br/><br/><i>NB </i>Enabling this setting will increase the memory usage of OpenAM.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"ldapConnectionPoolSize" : {
"title" : "LDAP Connection Pool Size",
"description" : "Controls the size of the LDAP connection pool used for authentication<br><br>Control the size of the connection pool to the LDAP directory server used by any of the authentication modules that use LDAP directly such as LDAP or Active Directory.Different OpenAM servers can be configured with different connection pool settings.<br/><br/>Format: host:port:minimum:maximum",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteAuthSecurityEnabled" : {
"title" : "Remote Auth Security",
"description" : "OpenAM requires authentication client to authenticate itself before authenticating users.<br><br>When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users. ",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"authenticators" : {
"title" : "Pluggable Authentication Module Classes",
"description" : "List of configured authentication modules<br><br>The list of configured authentication modules available to OpenAM. All modules must extend from the <code>com.sun.identity.authentication.spi.AMLoginModule</code> class.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaults" : {
"properties" : {
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 3,
"properties" : {
"userStatusCallbackPlugins" : {
"title" : "Pluggable User Status Event Classes",
"description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
"propertyOrder" : 2600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultAuthLevel" : {
"title" : "Default Authentication Level",
"description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"locale" : {
"title" : "Default Authentication Locale",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"statelessSessionsEnabled" : {
"title" : "Use Client-based Sessions",
"description" : "Enables client-based sessions.<br><br>Client-based sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"identityType" : {
"title" : "Identity Types",
"propertyOrder" : 2500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"twoFactorRequired" : {
"title" : "Two Factor Authentication Mandatory",
"description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.",
"propertyOrder" : 3900,
"required" : true,
"type" : "boolean"
}
}
},
"accountlockout" : {
"type" : "object",
"title" : "Account Lockout",
"propertyOrder" : 2,
"properties" : {
"lockoutAttributeName" : {
"title" : "Lockout Attribute Name",
"description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"invalidAttemptsDataAttributeName" : {
"title" : "Invalid Attempts Data Attribute Name",
"description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"lockoutWarnUserCount" : {
"title" : "Warn User After N Failures",
"description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"loginFailureLockoutMode" : {
"title" : "Login Failure Lockout Mode",
"description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"storeInvalidAttemptsInDataStore" : {
"title" : "Store Invalid Attempts in Data Store",
"description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"loginFailureDuration" : {
"title" : "Login Failure Lockout Interval",
"description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"loginFailureCount" : {
"title" : "Login Failure Lockout Count",
"description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"lockoutEmailAddress" : {
"title" : "Email Address to Send Lockout Notification",
"description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"lockoutAttributeValue" : {
"title" : "Lockout Attribute Value",
"description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"lockoutDuration" : {
"title" : "Login Failure Lockout Duration",
"description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"lockoutDurationMultiplier" : {
"title" : "Lockout Duration Multiplier",
"description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"postauthprocess" : {
"type" : "object",
"title" : "Post Authentication Processing",
"propertyOrder" : 6,
"properties" : {
"loginSuccessUrl" : {
"title" : "Default Success Login URL",
"description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorClass" : {
"title" : "Pluggable User Name Generator Class",
"description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
"propertyOrder" : 2000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Default Failure Login URL ",
"description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userAttributeSessionMapping" : {
"title" : "User Attribute Mapping to Session Attribute",
"description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
"propertyOrder" : 3000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorEnabled" : {
"title" : "Generate UserID Mode",
"description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
}
}
},
"trees" : {
"type" : "object",
"title" : "Trees",
"propertyOrder" : 4,
"properties" : {
"authenticationSessionsStateManagement" : {
"title" : "Authentication session state management scheme",
"description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and blacklisting use the options in the Client-based Sessions section of the Sessions global service.</em>",
"propertyOrder" : 3850,
"required" : true,
"type" : "string"
},
"authenticationSessionsWhitelist" : {
"title" : "Enable whitelisting",
"description" : "Enables explicit whitelisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.",
"propertyOrder" : 3860,
"required" : true,
"type" : "boolean"
},
"authenticationSessionsMaxDuration" : {
"title" : "Max duration (minutes)",
"description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.",
"propertyOrder" : 3860,
"required" : true,
"type" : "integer"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : -1,
"properties" : {
"adminAuthModule" : {
"title" : "Administrator Authentication Configuration",
"description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"orgConfig" : {
"title" : "Organization Authentication Configuration",
"description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"security" : {
"type" : "object",
"title" : "Security",
"propertyOrder" : 5,
"properties" : {
"zeroPageLoginReferrerWhiteList" : {
"title" : "Zero Page Login Referer Whitelist",
"description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
"propertyOrder" : 3600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"zeroPageLoginEnabled" : {
"title" : "Zero Page Login",
"description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
"propertyOrder" : 3400,
"required" : true,
"type" : "boolean"
},
"moduleBasedAuthEnabled" : {
"title" : "Module Based Authentication",
"description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"keyAlias" : {
"title" : "Persistent Cookie Encryption Certificate Alias",
"description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"zeroPageLoginAllowedWithoutReferrer" : {
"title" : "Zero Page Login Allowed without Referer?",
"description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"sharedSecret" : {
"title" : "Organization Authentication Signing Secret",
"description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"userprofile" : {
"type" : "object",
"title" : "User Profile",
"propertyOrder" : 0,
"properties" : {
"aliasAttributeName" : {
"title" : "Alias Search Attribute Name",
"description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"dynamicProfileCreation" : {
"title" : "User Profile",
"description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"defaultRole" : {
"title" : "User Profile Dynamic Creation Default Roles",
"description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
/global-config/authentication/authenticationtrees
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/chains
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules
1.0
Global and default configuration for authentication modules
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/activedirectory
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/adaptiverisk
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/amster
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/anonymous
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authJwtPoP
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authPush
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authPushReg
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSaml
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialInstagram
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialOAuth2
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialOpenID
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialTwitter
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialVk
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialWeChat
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authSocialWeChatMobile
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/authenticatoroath
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/certificate
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/datastore
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/deviceidmatch
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/deviceidsave
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/federation
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/hotp
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/httpbasic
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/jdbc
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/ldap
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/membership
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/msisdn
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/oath
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/oauth2
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/openidconnect
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/persistentcookie
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/radius
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/sae
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/scripted
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/securid
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/windowsdesktopsso
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/authentication/modules/windowsnt
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/realms
1.0
The endpoint for Realm operations
Create
Create a Realm
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Represents a Realm Resource",
"type" : "object",
"title" : "Realm",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "The name of the Realm"
},
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True if the Realm is active"
},
"parentPath" : {
"type" : "string",
"title" : "Parent",
"description" : "The path of the Realm's parent Realm"
},
"aliases" : {
"type" : "array",
"title" : "Aliases",
"description" : "Aliases which can be used reference to the Realm",
"items" : {
"type" : "string"
}
}
},
"required" : [ "name", "active", "parentPath", "aliases" ]
}
| Code | Description |
|---|---|
|
error.unexpected.bad.request.description |
|
error.unexpected.server.error.description |
Query by Filter
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Represents a Realm Resource",
"type" : "object",
"title" : "Realm",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "The name of the Realm"
},
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True if the Realm is active"
},
"parentPath" : {
"type" : "string",
"title" : "Parent",
"description" : "The path of the Realm's parent Realm"
},
"aliases" : {
"type" : "array",
"title" : "Aliases",
"description" : "Aliases which can be used reference to the Realm",
"items" : {
"type" : "string"
}
}
},
"required" : [ "name", "active", "parentPath", "aliases" ]
}
/global-config/realms/{realmref}
1.0
The endpoint for Realm operations
Read
Read a Realm
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
pathparam.description |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Represents a Realm Resource",
"type" : "object",
"title" : "Realm",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "The name of the Realm"
},
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True if the Realm is active"
},
"parentPath" : {
"type" : "string",
"title" : "Parent",
"description" : "The path of the Realm's parent Realm"
},
"aliases" : {
"type" : "array",
"title" : "Aliases",
"description" : "Aliases which can be used reference to the Realm",
"items" : {
"type" : "string"
}
}
},
"required" : [ "name", "active", "parentPath", "aliases" ]
}
| Code | Description |
|---|---|
|
error.unexpected.server.error.description |
Update
Update a Realm
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
pathparam.description |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Represents a Realm Resource",
"type" : "object",
"title" : "Realm",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "The name of the Realm"
},
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True if the Realm is active"
},
"parentPath" : {
"type" : "string",
"title" : "Parent",
"description" : "The path of the Realm's parent Realm"
},
"aliases" : {
"type" : "array",
"title" : "Aliases",
"description" : "Aliases which can be used reference to the Realm",
"items" : {
"type" : "string"
}
}
},
"required" : [ "name", "active", "parentPath", "aliases" ]
}
| Code | Description |
|---|---|
|
error.unexpected.server.error.description |
Delete
Delete a Realm
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
pathparam.description |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Represents a Realm Resource",
"type" : "object",
"title" : "Realm",
"properties" : {
"name" : {
"type" : "string",
"title" : "Name",
"description" : "The name of the Realm"
},
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True if the Realm is active"
},
"parentPath" : {
"type" : "string",
"title" : "Parent",
"description" : "The path of the Realm's parent Realm"
},
"aliases" : {
"type" : "array",
"title" : "Aliases",
"description" : "Aliases which can be used reference to the Realm",
"items" : {
"type" : "string"
}
}
},
"required" : [ "name", "active", "parentPath", "aliases" ]
}
| Code | Description |
|---|---|
|
error.unexpected.server.error.description |
/global-config/servers
1.0
Servers resource provider is responsible for managing Servers and their configuration for an OpenAM instance.
Create
Create a Server.
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the data that a Server Resource could contain.",
"type" : "object",
"title" : "Server resource schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Server id",
"description" : "Unique identifier of the Server."
},
"siteName" : {
"type" : "string",
"title" : "Site name",
"description" : "The Server's name."
},
"url" : {
"type" : "string",
"title" : "Url",
"description" : "The URL of the Server."
}
}
}
Query by Filter
Query the collection of the Servers.
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the data that a Server Resource could contain.",
"type" : "object",
"title" : "Server resource schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Server id",
"description" : "Unique identifier of the Server."
},
"siteName" : {
"type" : "string",
"title" : "Site name",
"description" : "The Server's name."
},
"url" : {
"type" : "string",
"title" : "Url",
"description" : "The URL of the Server."
}
}
}
| Code | Description |
|---|---|
|
Invalid query. |
|
The required query with the given parameters is not supported. |
|
An internal error occurred. Causes may be one of: * Could not get connection * Could not complete search * Unexpected LDAP result type |
/global-config/servers/server-default/properties/advanced
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Value",
"description" : "Any string value"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "An object of property key-value pairs",
"type" : "object",
"title" : "Advanced Properties"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Value",
"description" : "Any string value"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "An object of property key-value pairs",
"type" : "object",
"title" : "Advanced Properties"
}
/global-config/servers/server-default/properties/cts
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.cts.store.common.section" : {
"title" : "CTS Token Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.cts.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.cts.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.cts.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.cts.store.external.section" : {
"title" : "External Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.cts.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.cts.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.cts.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.cts.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.cts.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
},
"org.forgerock.services.cts.store.affinity.enabled" : {
"type" : "boolean",
"title" : "Affinity Enabled",
"propertyOrder" : 5,
"required" : true,
"description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled."
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.cts.store.common.section" : {
"title" : "CTS Token Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.cts.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.cts.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.cts.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.cts.store.external.section" : {
"title" : "External Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.cts.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.cts.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.cts.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.cts.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.cts.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
},
"org.forgerock.services.cts.store.affinity.enabled" : {
"type" : "boolean",
"title" : "Affinity Enabled",
"propertyOrder" : 5,
"required" : true,
"description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled."
}
}
}
}
}
/global-config/servers/server-default/properties/directoryConfiguration
1.0
Connection details for directory server(s).
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"directoryConfiguration" : {
"type" : "object",
"title" : "Directory Configuration",
"propertyOrder" : 0,
"properties" : {
"minConnectionPool" : {
"title" : "Minimum Connection Pool",
"propertyOrder" : 0,
"type" : "number"
},
"maxConnectionPool" : {
"title" : "Maximum Connection Pool",
"propertyOrder" : 1,
"type" : "number"
},
"bindDn" : {
"title" : "Bind DN",
"propertyOrder" : 2,
"type" : "string"
},
"bindPassword" : {
"title" : "Bind Password",
"propertyOrder" : 3,
"type" : "string",
"format" : "password"
}
}
},
"directoryServers" : {
"type" : "array",
"title" : "Server",
"propertyOrder" : 1,
"items" : {
"type" : "object",
"required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
"properties" : {
"serverName" : {
"title" : "Name",
"type" : "string",
"propertyOrder" : 0
},
"hostName" : {
"title" : "Host Name",
"type" : "string",
"propertyOrder" : 1
},
"portNumber" : {
"title" : "Port Number",
"type" : "string",
"propertyOrder" : 2
},
"connectionType" : {
"type" : "string",
"enum" : [ "SIMPLE", "SSL" ],
"options" : {
"enum_titles" : [ "SIMPLE", "SSL" ]
},
"title" : "Connection Type",
"propertyOrder" : 3
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"directoryConfiguration" : {
"type" : "object",
"title" : "Directory Configuration",
"propertyOrder" : 0,
"properties" : {
"minConnectionPool" : {
"title" : "Minimum Connection Pool",
"propertyOrder" : 0,
"type" : "number"
},
"maxConnectionPool" : {
"title" : "Maximum Connection Pool",
"propertyOrder" : 1,
"type" : "number"
},
"bindDn" : {
"title" : "Bind DN",
"propertyOrder" : 2,
"type" : "string"
},
"bindPassword" : {
"title" : "Bind Password",
"propertyOrder" : 3,
"type" : "string",
"format" : "password"
}
}
},
"directoryServers" : {
"type" : "array",
"title" : "Server",
"propertyOrder" : 1,
"items" : {
"type" : "object",
"required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
"properties" : {
"serverName" : {
"title" : "Name",
"type" : "string",
"propertyOrder" : 0
},
"hostName" : {
"title" : "Host Name",
"type" : "string",
"propertyOrder" : 1
},
"portNumber" : {
"title" : "Port Number",
"type" : "string",
"propertyOrder" : 2
},
"connectionType" : {
"type" : "string",
"enum" : [ "SIMPLE", "SSL" ],
"options" : {
"enum_titles" : [ "SIMPLE", "SSL" ]
},
"title" : "Connection Type",
"propertyOrder" : 3
}
}
}
}
}
}
/global-config/servers/server-default/properties/general
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.installdir" : {
"title" : "System",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"com.iplanet.services.configpath" : {
"type" : "string",
"title" : "Base installation directory",
"propertyOrder" : 0,
"required" : true,
"description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)"
},
"com.iplanet.am.locale" : {
"type" : "string",
"title" : "Default Locale",
"propertyOrder" : 1,
"required" : true,
"description" : "Default locale for the product. (property name: com.iplanet.am.locale)"
},
"com.sun.identity.client.notification.url" : {
"type" : "string",
"title" : "Notification URL",
"propertyOrder" : 2,
"required" : true,
"description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)"
},
"com.iplanet.am.util.xml.validating" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"title" : "XML Validation",
"propertyOrder" : 3,
"required" : true,
"description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)"
}
}
},
"amconfig.header.debug" : {
"title" : "Debugging",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.debug.level" : {
"enum" : [ "off", "error", "warning", "message" ],
"options" : {
"enum_titles" : [ "Off", "Error", "Warning", "Message" ]
},
"type" : "string",
"title" : "Debug Level",
"propertyOrder" : 0,
"required" : true,
"description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)"
},
"com.sun.services.debug.mergeall" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"title" : "Merge Debug Files",
"propertyOrder" : 1,
"required" : true,
"description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)"
},
"com.iplanet.services.debug.directory" : {
"type" : "string",
"title" : "Debug Directory",
"propertyOrder" : 2,
"required" : true,
"description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)"
}
}
},
"amconfig.header.mailserver" : {
"title" : "Mail Server",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.smtphost" : {
"type" : "string",
"title" : "Mail Server Host Name",
"propertyOrder" : 0,
"required" : true,
"description" : "(property name: com.iplanet.am.smtphost)"
},
"com.iplanet.am.smtpport" : {
"type" : "integer",
"title" : "Mail Server Port Number",
"propertyOrder" : 1,
"required" : true,
"description" : "(property name: com.iplanet.am.smtpport)"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.installdir" : {
"title" : "System",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"com.iplanet.services.configpath" : {
"type" : "string",
"title" : "Base installation directory",
"propertyOrder" : 0,
"required" : true,
"description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)"
},
"com.iplanet.am.locale" : {
"type" : "string",
"title" : "Default Locale",
"propertyOrder" : 1,
"required" : true,
"description" : "Default locale for the product. (property name: com.iplanet.am.locale)"
},
"com.sun.identity.client.notification.url" : {
"type" : "string",
"title" : "Notification URL",
"propertyOrder" : 2,
"required" : true,
"description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)"
},
"com.iplanet.am.util.xml.validating" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"title" : "XML Validation",
"propertyOrder" : 3,
"required" : true,
"description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)"
}
}
},
"amconfig.header.debug" : {
"title" : "Debugging",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.debug.level" : {
"enum" : [ "off", "error", "warning", "message" ],
"options" : {
"enum_titles" : [ "Off", "Error", "Warning", "Message" ]
},
"type" : "string",
"title" : "Debug Level",
"propertyOrder" : 0,
"required" : true,
"description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)"
},
"com.sun.services.debug.mergeall" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"title" : "Merge Debug Files",
"propertyOrder" : 1,
"required" : true,
"description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)"
},
"com.iplanet.services.debug.directory" : {
"type" : "string",
"title" : "Debug Directory",
"propertyOrder" : 2,
"required" : true,
"description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)"
}
}
},
"amconfig.header.mailserver" : {
"title" : "Mail Server",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.smtphost" : {
"type" : "string",
"title" : "Mail Server Host Name",
"propertyOrder" : 0,
"required" : true,
"description" : "(property name: com.iplanet.am.smtphost)"
},
"com.iplanet.am.smtpport" : {
"type" : "integer",
"title" : "Mail Server Port Number",
"propertyOrder" : 1,
"required" : true,
"description" : "(property name: com.iplanet.am.smtpport)"
}
}
}
}
}
/global-config/servers/server-default/properties/sdk
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.datastore" : {
"title" : "Data Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"com.sun.identity.sm.enableDataStoreNotification" : {
"type" : "boolean",
"title" : "Enable Datastore Notification",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies if backend datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled. (property name: com.sun.identity.sm.enableDataStoreNotification)"
},
"com.sun.identity.sm.notification.threadpool.size" : {
"type" : "integer",
"title" : "Notification Pool Size",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the size of the sm notification thread pool (total number of threads). (property name: com.sun.identity.sm.notification.threadpool.size)"
}
}
},
"amconfig.header.eventservice" : {
"title" : "Event Service",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.event.connection.num.retries" : {
"type" : "integer",
"title" : "Number of retries for Event Service connections",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the number of attempts made to successfully re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.num.retries)"
},
"com.iplanet.am.event.connection.delay.between.retries" : {
"type" : "integer",
"title" : "Delay between Event Service connection retries",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the delay in milliseconds between retries to re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.delay.between.retries)"
},
"com.iplanet.am.event.connection.ldap.error.codes.retries" : {
"type" : "string",
"title" : "Error codes for Event Service connection retries",
"propertyOrder" : 2,
"required" : true,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger. (property name: com.iplanet.am.event.connection.ldap.error.codes.retries)"
},
"com.sun.am.event.connection.disable.list" : {
"type" : "string",
"title" : "Disabled Event Service Connection",
"propertyOrder" : 3,
"required" : true,
"description" : "Specifies which event connection (persistent search) to be disabled. There are three valid values - aci, sm and um (case insensitive). Multiple values should be separated with \",\". (property name: com.sun.am.event.connection.disable.list)"
}
}
},
"amconfig.header.ldapconnection" : {
"title" : "LDAP Connection",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.ldap.connection.num.retries" : {
"type" : "integer",
"title" : "Number of retries for LDAP Connection",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the number of attempts made to successfully re-establish LDAP Connection. (property name: com.iplanet.am.ldap.connection.num.retries)"
},
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"type" : "integer",
"title" : "Delay between LDAP connection retries",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the delay in milliseconds between retries to re-establish the LDAP connections. (property name: com.iplanet.am.ldap.connection.delay.between.retries)"
},
"com.iplanet.am.ldap.connection.ldap.error.codes.retries" : {
"type" : "string",
"title" : "Error codes for LDAP connection retries",
"propertyOrder" : 2,
"required" : true,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish LDAP connections will trigger. (property name: com.iplanet.am.ldap.connection.ldap.error.codes.retries)"
}
}
},
"amconfig.header.cachingreplica" : {
"title" : "Caching and Replica",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.iplanet.am.sdk.cache.maxSize" : {
"type" : "integer",
"title" : "SDK Caching Max. Size",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. Changing this value will reset (clear) the contents of the cache. (property name: com.iplanet.am.sdk.cache.maxSize)"
}
}
},
"amconfig.header.sdktimetoliveconfig" : {
"title" : "Time To Live Configuration",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.iplanet.am.sdk.cache.entry.expire.enabled" : {
"type" : "boolean",
"title" : "Cache Entry Expiration Enabled",
"propertyOrder" : 0,
"required" : true,
"description" : "If this property is set, the cache entries will expire based on the time specified in User Entry Expiration Time property. (property name: com.iplanet.am.sdk.cache.entry.expire.enabled)"
},
"com.iplanet.am.sdk.cache.entry.user.expire.time" : {
"type" : "integer",
"title" : "User Entry Expiration Time",
"propertyOrder" : 1,
"required" : true,
"description" : "This property specifies time in minutes for which the user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.user.expire.time)"
},
"com.iplanet.am.sdk.cache.entry.default.expire.time" : {
"type" : "integer",
"title" : "Default Entry Expiration Time",
"propertyOrder" : 2,
"required" : true,
"description" : "This property specifies time in minutes for which the non-user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these non-user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.default.expire.time)"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.datastore" : {
"title" : "Data Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"com.sun.identity.sm.enableDataStoreNotification" : {
"type" : "boolean",
"title" : "Enable Datastore Notification",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies if backend datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled. (property name: com.sun.identity.sm.enableDataStoreNotification)"
},
"com.sun.identity.sm.notification.threadpool.size" : {
"type" : "integer",
"title" : "Notification Pool Size",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the size of the sm notification thread pool (total number of threads). (property name: com.sun.identity.sm.notification.threadpool.size)"
}
}
},
"amconfig.header.eventservice" : {
"title" : "Event Service",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.event.connection.num.retries" : {
"type" : "integer",
"title" : "Number of retries for Event Service connections",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the number of attempts made to successfully re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.num.retries)"
},
"com.iplanet.am.event.connection.delay.between.retries" : {
"type" : "integer",
"title" : "Delay between Event Service connection retries",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the delay in milliseconds between retries to re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.delay.between.retries)"
},
"com.iplanet.am.event.connection.ldap.error.codes.retries" : {
"type" : "string",
"title" : "Error codes for Event Service connection retries",
"propertyOrder" : 2,
"required" : true,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger. (property name: com.iplanet.am.event.connection.ldap.error.codes.retries)"
},
"com.sun.am.event.connection.disable.list" : {
"type" : "string",
"title" : "Disabled Event Service Connection",
"propertyOrder" : 3,
"required" : true,
"description" : "Specifies which event connection (persistent search) to be disabled. There are three valid values - aci, sm and um (case insensitive). Multiple values should be separated with \",\". (property name: com.sun.am.event.connection.disable.list)"
}
}
},
"amconfig.header.ldapconnection" : {
"title" : "LDAP Connection",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.ldap.connection.num.retries" : {
"type" : "integer",
"title" : "Number of retries for LDAP Connection",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the number of attempts made to successfully re-establish LDAP Connection. (property name: com.iplanet.am.ldap.connection.num.retries)"
},
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"type" : "integer",
"title" : "Delay between LDAP connection retries",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the delay in milliseconds between retries to re-establish the LDAP connections. (property name: com.iplanet.am.ldap.connection.delay.between.retries)"
},
"com.iplanet.am.ldap.connection.ldap.error.codes.retries" : {
"type" : "string",
"title" : "Error codes for LDAP connection retries",
"propertyOrder" : 2,
"required" : true,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish LDAP connections will trigger. (property name: com.iplanet.am.ldap.connection.ldap.error.codes.retries)"
}
}
},
"amconfig.header.cachingreplica" : {
"title" : "Caching and Replica",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.iplanet.am.sdk.cache.maxSize" : {
"type" : "integer",
"title" : "SDK Caching Max. Size",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. Changing this value will reset (clear) the contents of the cache. (property name: com.iplanet.am.sdk.cache.maxSize)"
}
}
},
"amconfig.header.sdktimetoliveconfig" : {
"title" : "Time To Live Configuration",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.iplanet.am.sdk.cache.entry.expire.enabled" : {
"type" : "boolean",
"title" : "Cache Entry Expiration Enabled",
"propertyOrder" : 0,
"required" : true,
"description" : "If this property is set, the cache entries will expire based on the time specified in User Entry Expiration Time property. (property name: com.iplanet.am.sdk.cache.entry.expire.enabled)"
},
"com.iplanet.am.sdk.cache.entry.user.expire.time" : {
"type" : "integer",
"title" : "User Entry Expiration Time",
"propertyOrder" : 1,
"required" : true,
"description" : "This property specifies time in minutes for which the user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.user.expire.time)"
},
"com.iplanet.am.sdk.cache.entry.default.expire.time" : {
"type" : "integer",
"title" : "Default Entry Expiration Time",
"propertyOrder" : 2,
"required" : true,
"description" : "This property specifies time in minutes for which the non-user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these non-user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.default.expire.time)"
}
}
}
}
}
/global-config/servers/server-default/properties/security
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.encryption" : {
"title" : "Encryption",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"am.encryption.pwd" : {
"type" : "string",
"title" : "Password Encryption Key",
"propertyOrder" : 0,
"required" : true,
"description" : "The encryption key value for decrypting passwords stored in the Service Management System configuration. (property name: am.encryption.pwd)"
},
"com.iplanet.security.encryptor" : {
"type" : "string",
"title" : "Encryption class",
"propertyOrder" : 1,
"required" : true,
"description" : "The default encryption class. (property name: com.iplanet.security.encryptor)"
},
"com.iplanet.security.SecureRandomFactoryImpl" : {
"type" : "string",
"title" : "Secure Random Factory Class",
"propertyOrder" : 2,
"required" : true,
"description" : "This property is used for specifying SecureRandomFactory class. Available values for this property are com.iplanet.am.util.JSSSecureRandomFactoryImpl that is using JSS and com.iplanet.am.util.SecureRandomFactoryImpl that is using pure Java only. (property name: com.iplanet.security.SecureRandomFactoryImpl)"
}
}
},
"amconfig.header.validation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.comm.server.pllrequest.maxContentLength" : {
"type" : "integer",
"title" : "Platform Low Level Comm. Max. Content Length",
"propertyOrder" : 0,
"required" : true,
"description" : "Maximum content-length for an HttpRequest. (property name: com.iplanet.services.comm.server.pllrequest.maxContentLength)"
},
"com.iplanet.am.clientIPCheckEnabled" : {
"type" : "boolean",
"title" : "Client IP Address Check",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies whether or not the IP address of the client is checked in all single sign on token creations or validations. (property name: com.iplanet.am.clientIPCheckEnabled)"
}
}
},
"amconfig.header.cookie" : {
"title" : "Cookie",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.cookie.name" : {
"type" : "string",
"title" : "Cookie Name",
"propertyOrder" : 0,
"required" : true,
"description" : "The cookie name used by Authentication Service to set the valid session handler ID. This name is used to retrieve the valid session information. (property name: com.iplanet.am.cookie.name)"
},
"com.iplanet.am.cookie.secure" : {
"type" : "boolean",
"title" : "Secure Cookie",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies whether to set cookie in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. (property name: com.iplanet.am.cookie.secure)"
},
"com.iplanet.am.cookie.encode" : {
"type" : "boolean",
"title" : "Encode Cookie Value",
"propertyOrder" : 2,
"required" : true,
"description" : "Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)"
}
}
},
"amconfig.header.securitykey" : {
"title" : "Key Store",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.identity.saml.xmlsig.keystore" : {
"type" : "string",
"title" : "Keystore File",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)"
},
"com.sun.identity.saml.xmlsig.storetype" : {
"type" : "string",
"title" : "Keystore Type",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the keystore type. (property name: com.sun.identity.saml.xmlsig.storetype)"
},
"com.sun.identity.saml.xmlsig.storepass" : {
"type" : "string",
"title" : "Keystore Password File",
"propertyOrder" : 2,
"required" : true,
"description" : "Specifies the location of the file that contains the password used to access the keystore file. (property name: com.sun.identity.saml.xmlsig.storepass)"
},
"com.sun.identity.saml.xmlsig.keypass" : {
"type" : "string",
"title" : "Private Key Password File",
"propertyOrder" : 3,
"required" : true,
"description" : "Specifies the location of the file that contains the password used to protect the private key of a generated key pair. (property name: com.sun.identity.saml.xmlsig.keypass)"
},
"com.sun.identity.saml.xmlsig.certalias" : {
"type" : "string",
"title" : "Certificate Alias",
"propertyOrder" : 4,
"required" : true,
"description" : "(property name: com.sun.identity.saml.xmlsig.certalias)"
}
}
},
"amconfig.header.crlcache" : {
"title" : "Certificate Revocation List Caching",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.sun.identity.crl.cache.directory.host" : {
"type" : "string",
"title" : "LDAP server host name",
"propertyOrder" : 0,
"required" : true
},
"com.sun.identity.crl.cache.directory.port" : {
"type" : "integer",
"title" : "LDAP server port number",
"propertyOrder" : 1,
"required" : true
},
"com.sun.identity.crl.cache.directory.ssl" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 2,
"required" : true
},
"com.sun.identity.crl.cache.directory.user" : {
"type" : "string",
"title" : "LDAP server bind user name",
"propertyOrder" : 3,
"required" : true
},
"com.sun.identity.crl.cache.directory.password" : {
"type" : "string",
"title" : "LDAP server bind password",
"propertyOrder" : 4,
"required" : true,
"format" : "password"
},
"com.sun.identity.crl.cache.directory.searchlocs" : {
"type" : "string",
"title" : "LDAP search base DN",
"propertyOrder" : 5,
"required" : true
},
"com.sun.identity.crl.cache.directory.searchattr" : {
"type" : "string",
"title" : "Search Attributes",
"propertyOrder" : 6,
"required" : true,
"description" : "Any DN component of issuer's subjectDN can be used to retrieve CRL from local LDAP server. It is single value string, like, \"cn\". All Root CA need to use the same search attribute."
}
}
},
"amconfig.header.ocsp.check" : {
"title" : "Online Certificate Status Protocol Check",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"com.sun.identity.authentication.ocspCheck" : {
"type" : "boolean",
"title" : "Check Enabled",
"propertyOrder" : 0,
"required" : true
},
"com.sun.identity.authentication.ocsp.responder.url" : {
"type" : "string",
"title" : "Responder URL",
"propertyOrder" : 1,
"required" : true
},
"com.sun.identity.authentication.ocsp.responder.nickname" : {
"type" : "string",
"title" : "Certificate Nickname",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.header.deserialisationwhitelist" : {
"title" : "Object Deserialisation Class Whitelist",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"openam.deserialisation.classes.whitelist" : {
"type" : "string",
"title" : "Whitelist",
"propertyOrder" : 0,
"required" : true,
"description" : "The list of classes that are considered valid when OpenAM performs Object deserialisation operations. The defaults should work for most installations. (property name: openam.deserialisation.classes.whitelist)"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.encryption" : {
"title" : "Encryption",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"am.encryption.pwd" : {
"type" : "string",
"title" : "Password Encryption Key",
"propertyOrder" : 0,
"required" : true,
"description" : "The encryption key value for decrypting passwords stored in the Service Management System configuration. (property name: am.encryption.pwd)"
},
"com.iplanet.security.encryptor" : {
"type" : "string",
"title" : "Encryption class",
"propertyOrder" : 1,
"required" : true,
"description" : "The default encryption class. (property name: com.iplanet.security.encryptor)"
},
"com.iplanet.security.SecureRandomFactoryImpl" : {
"type" : "string",
"title" : "Secure Random Factory Class",
"propertyOrder" : 2,
"required" : true,
"description" : "This property is used for specifying SecureRandomFactory class. Available values for this property are com.iplanet.am.util.JSSSecureRandomFactoryImpl that is using JSS and com.iplanet.am.util.SecureRandomFactoryImpl that is using pure Java only. (property name: com.iplanet.security.SecureRandomFactoryImpl)"
}
}
},
"amconfig.header.validation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.comm.server.pllrequest.maxContentLength" : {
"type" : "integer",
"title" : "Platform Low Level Comm. Max. Content Length",
"propertyOrder" : 0,
"required" : true,
"description" : "Maximum content-length for an HttpRequest. (property name: com.iplanet.services.comm.server.pllrequest.maxContentLength)"
},
"com.iplanet.am.clientIPCheckEnabled" : {
"type" : "boolean",
"title" : "Client IP Address Check",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies whether or not the IP address of the client is checked in all single sign on token creations or validations. (property name: com.iplanet.am.clientIPCheckEnabled)"
}
}
},
"amconfig.header.cookie" : {
"title" : "Cookie",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.cookie.name" : {
"type" : "string",
"title" : "Cookie Name",
"propertyOrder" : 0,
"required" : true,
"description" : "The cookie name used by Authentication Service to set the valid session handler ID. This name is used to retrieve the valid session information. (property name: com.iplanet.am.cookie.name)"
},
"com.iplanet.am.cookie.secure" : {
"type" : "boolean",
"title" : "Secure Cookie",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies whether to set cookie in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. (property name: com.iplanet.am.cookie.secure)"
},
"com.iplanet.am.cookie.encode" : {
"type" : "boolean",
"title" : "Encode Cookie Value",
"propertyOrder" : 2,
"required" : true,
"description" : "Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)"
}
}
},
"amconfig.header.securitykey" : {
"title" : "Key Store",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.identity.saml.xmlsig.keystore" : {
"type" : "string",
"title" : "Keystore File",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)"
},
"com.sun.identity.saml.xmlsig.storetype" : {
"type" : "string",
"title" : "Keystore Type",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the keystore type. (property name: com.sun.identity.saml.xmlsig.storetype)"
},
"com.sun.identity.saml.xmlsig.storepass" : {
"type" : "string",
"title" : "Keystore Password File",
"propertyOrder" : 2,
"required" : true,
"description" : "Specifies the location of the file that contains the password used to access the keystore file. (property name: com.sun.identity.saml.xmlsig.storepass)"
},
"com.sun.identity.saml.xmlsig.keypass" : {
"type" : "string",
"title" : "Private Key Password File",
"propertyOrder" : 3,
"required" : true,
"description" : "Specifies the location of the file that contains the password used to protect the private key of a generated key pair. (property name: com.sun.identity.saml.xmlsig.keypass)"
},
"com.sun.identity.saml.xmlsig.certalias" : {
"type" : "string",
"title" : "Certificate Alias",
"propertyOrder" : 4,
"required" : true,
"description" : "(property name: com.sun.identity.saml.xmlsig.certalias)"
}
}
},
"amconfig.header.crlcache" : {
"title" : "Certificate Revocation List Caching",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.sun.identity.crl.cache.directory.host" : {
"type" : "string",
"title" : "LDAP server host name",
"propertyOrder" : 0,
"required" : true
},
"com.sun.identity.crl.cache.directory.port" : {
"type" : "integer",
"title" : "LDAP server port number",
"propertyOrder" : 1,
"required" : true
},
"com.sun.identity.crl.cache.directory.ssl" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 2,
"required" : true
},
"com.sun.identity.crl.cache.directory.user" : {
"type" : "string",
"title" : "LDAP server bind user name",
"propertyOrder" : 3,
"required" : true
},
"com.sun.identity.crl.cache.directory.password" : {
"type" : "string",
"title" : "LDAP server bind password",
"propertyOrder" : 4,
"required" : true,
"format" : "password"
},
"com.sun.identity.crl.cache.directory.searchlocs" : {
"type" : "string",
"title" : "LDAP search base DN",
"propertyOrder" : 5,
"required" : true
},
"com.sun.identity.crl.cache.directory.searchattr" : {
"type" : "string",
"title" : "Search Attributes",
"propertyOrder" : 6,
"required" : true,
"description" : "Any DN component of issuer's subjectDN can be used to retrieve CRL from local LDAP server. It is single value string, like, \"cn\". All Root CA need to use the same search attribute."
}
}
},
"amconfig.header.ocsp.check" : {
"title" : "Online Certificate Status Protocol Check",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"com.sun.identity.authentication.ocspCheck" : {
"type" : "boolean",
"title" : "Check Enabled",
"propertyOrder" : 0,
"required" : true
},
"com.sun.identity.authentication.ocsp.responder.url" : {
"type" : "string",
"title" : "Responder URL",
"propertyOrder" : 1,
"required" : true
},
"com.sun.identity.authentication.ocsp.responder.nickname" : {
"type" : "string",
"title" : "Certificate Nickname",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.header.deserialisationwhitelist" : {
"title" : "Object Deserialisation Class Whitelist",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"openam.deserialisation.classes.whitelist" : {
"type" : "string",
"title" : "Whitelist",
"propertyOrder" : 0,
"required" : true,
"description" : "The list of classes that are considered valid when OpenAM performs Object deserialisation operations. The defaults should work for most installations. (property name: openam.deserialisation.classes.whitelist)"
}
}
}
}
}
/global-config/servers/server-default/properties/session
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.sessionthresholds" : {
"title" : "Session Limits",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.openam.session.service.access.persistence.caching.maxsize" : {
"type" : "integer",
"title" : "Maximum Session Cache Size",
"propertyOrder" : 0,
"required" : true,
"description" : "The maximum number of sessions to cache in the per-server internal session cache. (property name: org.forgerock.openam.session.service.access.persistence.caching.maxsize)"
},
"com.iplanet.am.session.invalidsessionmaxtime" : {
"type" : "integer",
"title" : "Invalidate Session Max Time",
"propertyOrder" : 1,
"required" : true,
"description" : "Duration in minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file. (property name: com.iplanet.am.session.invalidsessionmaxtime)"
}
}
},
"amconfig.header.sessionlogging" : {
"title" : "Statistics",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.stats.interval" : {
"type" : "integer",
"title" : "Logging Interval (in seconds)",
"propertyOrder" : 0,
"required" : true,
"description" : "Number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. (property name: com.iplanet.am.stats.interval)"
},
"com.iplanet.services.stats.state" : {
"enum" : [ "off", "file", "console" ],
"options" : {
"enum_titles" : [ "Off", "File", "Console" ]
},
"type" : "string",
"title" : "State",
"propertyOrder" : 1,
"required" : true,
"description" : "Statistics state 'file' will write to a file under the specified directory, and 'console' will write into webserver log files. (property name: com.iplanet.services.stats.state)"
},
"com.iplanet.services.stats.directory" : {
"type" : "string",
"title" : "Directory",
"propertyOrder" : 2,
"required" : true,
"description" : "Directory where the statistic files will be created. Use forward slashes \"/\" to separate directories, not backslash \"\\\". Spaces in the file name are allowed for Windows. (property name: com.iplanet.services.stats.directory)"
},
"com.sun.am.session.enableHostLookUp" : {
"type" : "boolean",
"title" : "Enable Host Lookup",
"propertyOrder" : 3,
"required" : true,
"description" : "Enables or disables host lookup during session logging. (property name: com.sun.am.session.enableHostLookUp)"
}
}
},
"amconfig.header.sessionnotification" : {
"title" : "Notification",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.notification.threadpool.size" : {
"type" : "integer",
"title" : "Notification Pool Size",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the size of the notification thread pool (total number of threads). (property name: com.iplanet.am.notification.threadpool.size)"
},
"com.iplanet.am.notification.threadpool.threshold" : {
"type" : "integer",
"title" : "Notification Thread Pool Threshold",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the maximum task queue length for serving notification threads. (property name: com.iplanet.am.notification.threadpool.threshold)"
}
}
},
"amconfig.header.sessionvalidation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.am.session.caseInsensitiveDN" : {
"type" : "boolean",
"title" : "Case Insensitive client DN comparison",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies if client distinguished name comparison is case insensitive/sensitive. (property name: com.sun.am.session.caseInsensitiveDN)"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.sessionthresholds" : {
"title" : "Session Limits",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.openam.session.service.access.persistence.caching.maxsize" : {
"type" : "integer",
"title" : "Maximum Session Cache Size",
"propertyOrder" : 0,
"required" : true,
"description" : "The maximum number of sessions to cache in the per-server internal session cache. (property name: org.forgerock.openam.session.service.access.persistence.caching.maxsize)"
},
"com.iplanet.am.session.invalidsessionmaxtime" : {
"type" : "integer",
"title" : "Invalidate Session Max Time",
"propertyOrder" : 1,
"required" : true,
"description" : "Duration in minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file. (property name: com.iplanet.am.session.invalidsessionmaxtime)"
}
}
},
"amconfig.header.sessionlogging" : {
"title" : "Statistics",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.stats.interval" : {
"type" : "integer",
"title" : "Logging Interval (in seconds)",
"propertyOrder" : 0,
"required" : true,
"description" : "Number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. (property name: com.iplanet.am.stats.interval)"
},
"com.iplanet.services.stats.state" : {
"enum" : [ "off", "file", "console" ],
"options" : {
"enum_titles" : [ "Off", "File", "Console" ]
},
"type" : "string",
"title" : "State",
"propertyOrder" : 1,
"required" : true,
"description" : "Statistics state 'file' will write to a file under the specified directory, and 'console' will write into webserver log files. (property name: com.iplanet.services.stats.state)"
},
"com.iplanet.services.stats.directory" : {
"type" : "string",
"title" : "Directory",
"propertyOrder" : 2,
"required" : true,
"description" : "Directory where the statistic files will be created. Use forward slashes \"/\" to separate directories, not backslash \"\\\". Spaces in the file name are allowed for Windows. (property name: com.iplanet.services.stats.directory)"
},
"com.sun.am.session.enableHostLookUp" : {
"type" : "boolean",
"title" : "Enable Host Lookup",
"propertyOrder" : 3,
"required" : true,
"description" : "Enables or disables host lookup during session logging. (property name: com.sun.am.session.enableHostLookUp)"
}
}
},
"amconfig.header.sessionnotification" : {
"title" : "Notification",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.notification.threadpool.size" : {
"type" : "integer",
"title" : "Notification Pool Size",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies the size of the notification thread pool (total number of threads). (property name: com.iplanet.am.notification.threadpool.size)"
},
"com.iplanet.am.notification.threadpool.threshold" : {
"type" : "integer",
"title" : "Notification Thread Pool Threshold",
"propertyOrder" : 1,
"required" : true,
"description" : "Specifies the maximum task queue length for serving notification threads. (property name: com.iplanet.am.notification.threadpool.threshold)"
}
}
},
"amconfig.header.sessionvalidation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.am.session.caseInsensitiveDN" : {
"type" : "boolean",
"title" : "Case Insensitive client DN comparison",
"propertyOrder" : 0,
"required" : true,
"description" : "Specifies if client distinguished name comparison is case insensitive/sensitive. (property name: com.sun.am.session.caseInsensitiveDN)"
}
}
}
}
}
/global-config/servers/server-default/properties/uma
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.resourcesets.store.common.section" : {
"title" : "Resource Sets Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.resourcesets.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.resourcesets.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.resourcesets.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.resourcesets.store.external.section" : {
"title" : "External Resource Sets Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.resourcesets.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.resourcesets.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.resourcesets.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.resourcesets.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.resourcesets.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.common.section" : {
"title" : "UMA Audit Store",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"org.forgerock.services.umaaudit.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.umaaudit.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.umaaudit.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.external.section" : {
"title" : "External UMA Audit Store Configuration",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"org.forgerock.services.umaaudit.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.umaaudit.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.umaaudit.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.umaaudit.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.umaaudit.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.common.section" : {
"title" : "Pending Requests Store",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.external.section" : {
"title" : "External Pending Requests Store Configuration",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.uma.pendingrequests.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.uma.pendingrequests.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.common.section" : {
"title" : "UMA Resource Set Labels Store",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"org.forgerock.services.uma.labels.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.labels.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.uma.labels.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.external.section" : {
"title" : "External Resource Set Labels Store Configuration",
"type" : "object",
"propertyOrder" : 7,
"properties" : {
"org.forgerock.services.uma.labels.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.labels.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.uma.labels.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.uma.labels.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.uma.labels.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.resourcesets.store.common.section" : {
"title" : "Resource Sets Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.resourcesets.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.resourcesets.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.resourcesets.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.resourcesets.store.external.section" : {
"title" : "External Resource Sets Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.resourcesets.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.resourcesets.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.resourcesets.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.resourcesets.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.resourcesets.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.common.section" : {
"title" : "UMA Audit Store",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"org.forgerock.services.umaaudit.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.umaaudit.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.umaaudit.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.external.section" : {
"title" : "External UMA Audit Store Configuration",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"org.forgerock.services.umaaudit.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.umaaudit.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.umaaudit.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.umaaudit.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.umaaudit.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.common.section" : {
"title" : "Pending Requests Store",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.external.section" : {
"title" : "External Pending Requests Store Configuration",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.uma.pendingrequests.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.uma.pendingrequests.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.uma.pendingrequests.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.common.section" : {
"title" : "UMA Resource Set Labels Store",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"org.forgerock.services.uma.labels.store.location" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"title" : "Store Mode",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.labels.store.root.suffix" : {
"type" : "string",
"title" : "Root Suffix",
"propertyOrder" : 1,
"required" : true
},
"org.forgerock.services.uma.labels.store.max.connections" : {
"type" : "string",
"title" : "Max Connections",
"propertyOrder" : 2,
"required" : true
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.external.section" : {
"title" : "External Resource Set Labels Store Configuration",
"type" : "object",
"propertyOrder" : 7,
"properties" : {
"org.forgerock.services.uma.labels.store.ssl.enabled" : {
"type" : "boolean",
"title" : "SSL/TLS Enabled",
"propertyOrder" : 0,
"required" : true
},
"org.forgerock.services.uma.labels.store.directory.name" : {
"type" : "string",
"title" : "Connection String(s)",
"propertyOrder" : 1,
"required" : true,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
},
"org.forgerock.services.uma.labels.store.loginid" : {
"type" : "string",
"title" : "Login Id",
"propertyOrder" : 2,
"required" : true
},
"org.forgerock.services.uma.labels.store.password" : {
"type" : "string",
"title" : "Password",
"propertyOrder" : 3,
"required" : true,
"format" : "password"
},
"org.forgerock.services.uma.labels.store.heartbeat" : {
"type" : "integer",
"title" : "Heartbeat",
"propertyOrder" : 4,
"required" : true
}
}
}
}
}
/global-config/servers/{id}
1.0
Servers resource provider is responsible for managing Servers and their configuration for an OpenAM instance.
Create
Create a Server.
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Unique identifier of the Server. |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the data that a Server Resource could contain.",
"type" : "object",
"title" : "Server resource schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Server id",
"description" : "Unique identifier of the Server."
},
"siteName" : {
"type" : "string",
"title" : "Site name",
"description" : "The Server's name."
},
"url" : {
"type" : "string",
"title" : "Url",
"description" : "The URL of the Server."
}
}
}
Read
Read a Server.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Unique identifier of the Server. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the data that a Server Resource could contain.",
"type" : "object",
"title" : "Server resource schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Server id",
"description" : "Unique identifier of the Server."
},
"siteName" : {
"type" : "string",
"title" : "Site name",
"description" : "The Server's name."
},
"url" : {
"type" : "string",
"title" : "Url",
"description" : "The URL of the Server."
}
}
}
| Code | Description |
|---|---|
|
An internal error occurred. Causes may be one of: * Could not get connection * Could not complete search * Unexpected LDAP result type |
Delete
Delete a Server.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Unique identifier of the Server. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the data that a Server Resource could contain.",
"type" : "object",
"title" : "Server resource schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Server id",
"description" : "Unique identifier of the Server."
},
"siteName" : {
"type" : "string",
"title" : "Site name",
"description" : "The Server's name."
},
"url" : {
"type" : "string",
"title" : "Url",
"description" : "The URL of the Server."
}
}
}
| Code | Description |
|---|---|
|
Resource not found for deletion. |
|
Invalid SSO token for deletion |
|
An internal error occurred. Causes may be one of: * Could not get connection * Could not complete search * Unexpected LDAP result type |
Action: clone
Clone the specified Server, keeping it’s settings but using a different URL.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Unique identifier of the Server. |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Container for required data to clone a Server.",
"type" : "object",
"title" : "Clone Server Request schema",
"properties" : {
"clonedUrl" : {
"type" : "string",
"title" : "Cloned Server URL",
"description" : "The new URL of the cloned server. Must be unique."
}
}
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the data that a Server Resource could contain.",
"type" : "object",
"title" : "Server resource schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Server id",
"description" : "Unique identifier of the Server."
},
"siteName" : {
"type" : "string",
"title" : "Site name",
"description" : "The Server's name."
},
"url" : {
"type" : "string",
"title" : "Url",
"description" : "The URL of the Server."
}
}
}
/global-config/servers/{serverName}/properties/advanced
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Value",
"description" : "Any string value"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "An object of property key-value pairs",
"type" : "object",
"title" : "Advanced Properties"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Value",
"description" : "Any string value"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "An object of property key-value pairs",
"type" : "object",
"title" : "Advanced Properties"
}
/global-config/servers/{serverName}/properties/cts
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.cts.store.common.section" : {
"title" : "CTS Token Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.cts.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.cts.store.external.section" : {
"title" : "External Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.cts.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.affinity.enabled" : {
"title" : "Affinity Enabled",
"type" : "object",
"propertyOrder" : 5,
"description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.cts.store.common.section" : {
"title" : "CTS Token Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.cts.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.cts.store.external.section" : {
"title" : "External Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.cts.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.cts.store.affinity.enabled" : {
"title" : "Affinity Enabled",
"type" : "object",
"propertyOrder" : 5,
"description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
/global-config/servers/{serverName}/properties/directoryConfiguration
1.0
Connection details for directory server(s).
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"directoryConfiguration" : {
"type" : "object",
"title" : "Directory Configuration",
"propertyOrder" : 0,
"properties" : {
"minConnectionPool" : {
"title" : "Minimum Connection Pool",
"propertyOrder" : 0,
"type" : "number"
},
"maxConnectionPool" : {
"title" : "Maximum Connection Pool",
"propertyOrder" : 1,
"type" : "number"
},
"bindDn" : {
"title" : "Bind DN",
"propertyOrder" : 2,
"type" : "string"
},
"bindPassword" : {
"title" : "Bind Password",
"propertyOrder" : 3,
"type" : "string",
"format" : "password"
}
}
},
"directoryServers" : {
"type" : "array",
"title" : "Server",
"propertyOrder" : 1,
"items" : {
"type" : "object",
"required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
"properties" : {
"serverName" : {
"title" : "Name",
"type" : "string",
"propertyOrder" : 0
},
"hostName" : {
"title" : "Host Name",
"type" : "string",
"propertyOrder" : 1
},
"portNumber" : {
"title" : "Port Number",
"type" : "string",
"propertyOrder" : 2
},
"connectionType" : {
"type" : "string",
"enum" : [ "SIMPLE", "SSL" ],
"options" : {
"enum_titles" : [ "SIMPLE", "SSL" ]
},
"title" : "Connection Type",
"propertyOrder" : 3
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"directoryConfiguration" : {
"type" : "object",
"title" : "Directory Configuration",
"propertyOrder" : 0,
"properties" : {
"minConnectionPool" : {
"title" : "Minimum Connection Pool",
"propertyOrder" : 0,
"type" : "number"
},
"maxConnectionPool" : {
"title" : "Maximum Connection Pool",
"propertyOrder" : 1,
"type" : "number"
},
"bindDn" : {
"title" : "Bind DN",
"propertyOrder" : 2,
"type" : "string"
},
"bindPassword" : {
"title" : "Bind Password",
"propertyOrder" : 3,
"type" : "string",
"format" : "password"
}
}
},
"directoryServers" : {
"type" : "array",
"title" : "Server",
"propertyOrder" : 1,
"items" : {
"type" : "object",
"required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
"properties" : {
"serverName" : {
"title" : "Name",
"type" : "string",
"propertyOrder" : 0
},
"hostName" : {
"title" : "Host Name",
"type" : "string",
"propertyOrder" : 1
},
"portNumber" : {
"title" : "Port Number",
"type" : "string",
"propertyOrder" : 2
},
"connectionType" : {
"type" : "string",
"enum" : [ "SIMPLE", "SSL" ],
"options" : {
"enum_titles" : [ "SIMPLE", "SSL" ]
},
"title" : "Connection Type",
"propertyOrder" : 3
}
}
}
}
}
}
/global-config/servers/{serverName}/properties/general
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.site" : {
"title" : "Site",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"singleChoiceSite" : {
"type" : "string",
"title" : "Parent Site",
"propertyOrder" : 0,
"required" : false,
"description" : "Parent Site"
}
}
},
"amconfig.header.installdir" : {
"title" : "System",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.configpath" : {
"title" : "Base installation directory",
"type" : "object",
"propertyOrder" : 0,
"description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.locale" : {
"title" : "Default Locale",
"type" : "object",
"propertyOrder" : 1,
"description" : "Default locale for the product. (property name: com.iplanet.am.locale)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.client.notification.url" : {
"title" : "Notification URL",
"type" : "object",
"propertyOrder" : 2,
"description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.util.xml.validating" : {
"title" : "XML Validation",
"type" : "object",
"propertyOrder" : 3,
"description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)",
"properties" : {
"value" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.debug" : {
"title" : "Debugging",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.services.debug.level" : {
"title" : "Debug Level",
"type" : "object",
"propertyOrder" : 0,
"description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)",
"properties" : {
"value" : {
"enum" : [ "off", "error", "warning", "message" ],
"options" : {
"enum_titles" : [ "Off", "Error", "Warning", "Message" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.services.debug.mergeall" : {
"title" : "Merge Debug Files",
"type" : "object",
"propertyOrder" : 1,
"description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)",
"properties" : {
"value" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.services.debug.directory" : {
"title" : "Debug Directory",
"type" : "object",
"propertyOrder" : 2,
"description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.mailserver" : {
"title" : "Mail Server",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.iplanet.am.smtphost" : {
"title" : "Mail Server Host Name",
"type" : "object",
"propertyOrder" : 0,
"description" : "(property name: com.iplanet.am.smtphost)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.smtpport" : {
"title" : "Mail Server Port Number",
"type" : "object",
"propertyOrder" : 1,
"description" : "(property name: com.iplanet.am.smtpport)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.site" : {
"title" : "Site",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"singleChoiceSite" : {
"type" : "string",
"title" : "Parent Site",
"propertyOrder" : 0,
"required" : false,
"description" : "Parent Site"
}
}
},
"amconfig.header.installdir" : {
"title" : "System",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.configpath" : {
"title" : "Base installation directory",
"type" : "object",
"propertyOrder" : 0,
"description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.locale" : {
"title" : "Default Locale",
"type" : "object",
"propertyOrder" : 1,
"description" : "Default locale for the product. (property name: com.iplanet.am.locale)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.client.notification.url" : {
"title" : "Notification URL",
"type" : "object",
"propertyOrder" : 2,
"description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.util.xml.validating" : {
"title" : "XML Validation",
"type" : "object",
"propertyOrder" : 3,
"description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)",
"properties" : {
"value" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.debug" : {
"title" : "Debugging",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.services.debug.level" : {
"title" : "Debug Level",
"type" : "object",
"propertyOrder" : 0,
"description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)",
"properties" : {
"value" : {
"enum" : [ "off", "error", "warning", "message" ],
"options" : {
"enum_titles" : [ "Off", "Error", "Warning", "Message" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.services.debug.mergeall" : {
"title" : "Merge Debug Files",
"type" : "object",
"propertyOrder" : 1,
"description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)",
"properties" : {
"value" : {
"enum" : [ "on", "off" ],
"options" : {
"enum_titles" : [ "On", "Off" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.services.debug.directory" : {
"title" : "Debug Directory",
"type" : "object",
"propertyOrder" : 2,
"description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.mailserver" : {
"title" : "Mail Server",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.iplanet.am.smtphost" : {
"title" : "Mail Server Host Name",
"type" : "object",
"propertyOrder" : 0,
"description" : "(property name: com.iplanet.am.smtphost)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.smtpport" : {
"title" : "Mail Server Port Number",
"type" : "object",
"propertyOrder" : 1,
"description" : "(property name: com.iplanet.am.smtpport)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
/global-config/servers/{serverName}/properties/sdk
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.datastore" : {
"title" : "Data Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"com.sun.identity.sm.enableDataStoreNotification" : {
"title" : "Enable Datastore Notification",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies if backend datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled. (property name: com.sun.identity.sm.enableDataStoreNotification)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.sm.notification.threadpool.size" : {
"title" : "Notification Pool Size",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the size of the sm notification thread pool (total number of threads). (property name: com.sun.identity.sm.notification.threadpool.size)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.eventservice" : {
"title" : "Event Service",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.event.connection.num.retries" : {
"title" : "Number of retries for Event Service connections",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the number of attempts made to successfully re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.num.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.event.connection.delay.between.retries" : {
"title" : "Delay between Event Service connection retries",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the delay in milliseconds between retries to re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.delay.between.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.event.connection.ldap.error.codes.retries" : {
"title" : "Error codes for Event Service connection retries",
"type" : "object",
"propertyOrder" : 2,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger. (property name: com.iplanet.am.event.connection.ldap.error.codes.retries)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.am.event.connection.disable.list" : {
"title" : "Disabled Event Service Connection",
"type" : "object",
"propertyOrder" : 3,
"description" : "Specifies which event connection (persistent search) to be disabled. There are three valid values - aci, sm and um (case insensitive). Multiple values should be separated with \",\". (property name: com.sun.am.event.connection.disable.list)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.ldapconnection" : {
"title" : "LDAP Connection",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.ldap.connection.num.retries" : {
"title" : "Number of retries for LDAP Connection",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the number of attempts made to successfully re-establish LDAP Connection. (property name: com.iplanet.am.ldap.connection.num.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "Delay between LDAP connection retries",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the delay in milliseconds between retries to re-establish the LDAP connections. (property name: com.iplanet.am.ldap.connection.delay.between.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.ldap.connection.ldap.error.codes.retries" : {
"title" : "Error codes for LDAP connection retries",
"type" : "object",
"propertyOrder" : 2,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish LDAP connections will trigger. (property name: com.iplanet.am.ldap.connection.ldap.error.codes.retries)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.cachingreplica" : {
"title" : "Caching and Replica",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.iplanet.am.sdk.cache.maxSize" : {
"title" : "SDK Caching Max. Size",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. Changing this value will reset (clear) the contents of the cache. (property name: com.iplanet.am.sdk.cache.maxSize)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sdktimetoliveconfig" : {
"title" : "Time To Live Configuration",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.iplanet.am.sdk.cache.entry.expire.enabled" : {
"title" : "Cache Entry Expiration Enabled",
"type" : "object",
"propertyOrder" : 0,
"description" : "If this property is set, the cache entries will expire based on the time specified in User Entry Expiration Time property. (property name: com.iplanet.am.sdk.cache.entry.expire.enabled)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.sdk.cache.entry.user.expire.time" : {
"title" : "User Entry Expiration Time",
"type" : "object",
"propertyOrder" : 1,
"description" : "This property specifies time in minutes for which the user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.user.expire.time)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.sdk.cache.entry.default.expire.time" : {
"title" : "Default Entry Expiration Time",
"type" : "object",
"propertyOrder" : 2,
"description" : "This property specifies time in minutes for which the non-user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these non-user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.default.expire.time)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.datastore" : {
"title" : "Data Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"com.sun.identity.sm.enableDataStoreNotification" : {
"title" : "Enable Datastore Notification",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies if backend datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled. (property name: com.sun.identity.sm.enableDataStoreNotification)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.sm.notification.threadpool.size" : {
"title" : "Notification Pool Size",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the size of the sm notification thread pool (total number of threads). (property name: com.sun.identity.sm.notification.threadpool.size)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.eventservice" : {
"title" : "Event Service",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.event.connection.num.retries" : {
"title" : "Number of retries for Event Service connections",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the number of attempts made to successfully re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.num.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.event.connection.delay.between.retries" : {
"title" : "Delay between Event Service connection retries",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the delay in milliseconds between retries to re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.delay.between.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.event.connection.ldap.error.codes.retries" : {
"title" : "Error codes for Event Service connection retries",
"type" : "object",
"propertyOrder" : 2,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger. (property name: com.iplanet.am.event.connection.ldap.error.codes.retries)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.am.event.connection.disable.list" : {
"title" : "Disabled Event Service Connection",
"type" : "object",
"propertyOrder" : 3,
"description" : "Specifies which event connection (persistent search) to be disabled. There are three valid values - aci, sm and um (case insensitive). Multiple values should be separated with \",\". (property name: com.sun.am.event.connection.disable.list)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.ldapconnection" : {
"title" : "LDAP Connection",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.ldap.connection.num.retries" : {
"title" : "Number of retries for LDAP Connection",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the number of attempts made to successfully re-establish LDAP Connection. (property name: com.iplanet.am.ldap.connection.num.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "Delay between LDAP connection retries",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the delay in milliseconds between retries to re-establish the LDAP connections. (property name: com.iplanet.am.ldap.connection.delay.between.retries)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.ldap.connection.ldap.error.codes.retries" : {
"title" : "Error codes for LDAP connection retries",
"type" : "object",
"propertyOrder" : 2,
"description" : "This secifies the LDAP exception error codes for which retries to re-establish LDAP connections will trigger. (property name: com.iplanet.am.ldap.connection.ldap.error.codes.retries)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.cachingreplica" : {
"title" : "Caching and Replica",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.iplanet.am.sdk.cache.maxSize" : {
"title" : "SDK Caching Max. Size",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. Changing this value will reset (clear) the contents of the cache. (property name: com.iplanet.am.sdk.cache.maxSize)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sdktimetoliveconfig" : {
"title" : "Time To Live Configuration",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.iplanet.am.sdk.cache.entry.expire.enabled" : {
"title" : "Cache Entry Expiration Enabled",
"type" : "object",
"propertyOrder" : 0,
"description" : "If this property is set, the cache entries will expire based on the time specified in User Entry Expiration Time property. (property name: com.iplanet.am.sdk.cache.entry.expire.enabled)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.sdk.cache.entry.user.expire.time" : {
"title" : "User Entry Expiration Time",
"type" : "object",
"propertyOrder" : 1,
"description" : "This property specifies time in minutes for which the user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.user.expire.time)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.sdk.cache.entry.default.expire.time" : {
"title" : "Default Entry Expiration Time",
"type" : "object",
"propertyOrder" : 2,
"description" : "This property specifies time in minutes for which the non-user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these non-user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.default.expire.time)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
/global-config/servers/{serverName}/properties/security
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.encryption" : {
"title" : "Encryption",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"am.encryption.pwd" : {
"title" : "Password Encryption Key",
"type" : "object",
"propertyOrder" : 0,
"description" : "The encryption key value for decrypting passwords stored in the Service Management System configuration. (property name: am.encryption.pwd)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.security.encryptor" : {
"title" : "Encryption class",
"type" : "object",
"propertyOrder" : 1,
"description" : "The default encryption class. (property name: com.iplanet.security.encryptor)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.security.SecureRandomFactoryImpl" : {
"title" : "Secure Random Factory Class",
"type" : "object",
"propertyOrder" : 2,
"description" : "This property is used for specifying SecureRandomFactory class. Available values for this property are com.iplanet.am.util.JSSSecureRandomFactoryImpl that is using JSS and com.iplanet.am.util.SecureRandomFactoryImpl that is using pure Java only. (property name: com.iplanet.security.SecureRandomFactoryImpl)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.validation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.comm.server.pllrequest.maxContentLength" : {
"title" : "Platform Low Level Comm. Max. Content Length",
"type" : "object",
"propertyOrder" : 0,
"description" : "Maximum content-length for an HttpRequest. (property name: com.iplanet.services.comm.server.pllrequest.maxContentLength)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.clientIPCheckEnabled" : {
"title" : "Client IP Address Check",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies whether or not the IP address of the client is checked in all single sign on token creations or validations. (property name: com.iplanet.am.clientIPCheckEnabled)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.cookie" : {
"title" : "Cookie",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.cookie.name" : {
"title" : "Cookie Name",
"type" : "object",
"propertyOrder" : 0,
"description" : "The cookie name used by Authentication Service to set the valid session handler ID. This name is used to retrieve the valid session information. (property name: com.iplanet.am.cookie.name)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.cookie.secure" : {
"title" : "Secure Cookie",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies whether to set cookie in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. (property name: com.iplanet.am.cookie.secure)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.cookie.encode" : {
"title" : "Encode Cookie Value",
"type" : "object",
"propertyOrder" : 2,
"description" : "Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.securitykey" : {
"title" : "Key Store",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.identity.saml.xmlsig.keystore" : {
"title" : "Keystore File",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.storetype" : {
"title" : "Keystore Type",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the keystore type. (property name: com.sun.identity.saml.xmlsig.storetype)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.storepass" : {
"title" : "Keystore Password File",
"type" : "object",
"propertyOrder" : 2,
"description" : "Specifies the location of the file that contains the password used to access the keystore file. (property name: com.sun.identity.saml.xmlsig.storepass)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.keypass" : {
"title" : "Private Key Password File",
"type" : "object",
"propertyOrder" : 3,
"description" : "Specifies the location of the file that contains the password used to protect the private key of a generated key pair. (property name: com.sun.identity.saml.xmlsig.keypass)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.certalias" : {
"title" : "Certificate Alias",
"type" : "object",
"propertyOrder" : 4,
"description" : "(property name: com.sun.identity.saml.xmlsig.certalias)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.crlcache" : {
"title" : "Certificate Revocation List Caching",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.sun.identity.crl.cache.directory.host" : {
"title" : "LDAP server host name",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.port" : {
"title" : "LDAP server port number",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.ssl" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.user" : {
"title" : "LDAP server bind user name",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.password" : {
"title" : "LDAP server bind password",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.searchlocs" : {
"title" : "LDAP search base DN",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.searchattr" : {
"title" : "Search Attributes",
"type" : "object",
"propertyOrder" : 6,
"description" : "Any DN component of issuer's subjectDN can be used to retrieve CRL from local LDAP server. It is single value string, like, \"cn\". All Root CA need to use the same search attribute.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.ocsp.check" : {
"title" : "Online Certificate Status Protocol Check",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"com.sun.identity.authentication.ocspCheck" : {
"title" : "Check Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.authentication.ocsp.responder.url" : {
"title" : "Responder URL",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.authentication.ocsp.responder.nickname" : {
"title" : "Certificate Nickname",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.deserialisationwhitelist" : {
"title" : "Object Deserialisation Class Whitelist",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"openam.deserialisation.classes.whitelist" : {
"title" : "Whitelist",
"type" : "object",
"propertyOrder" : 0,
"description" : "The list of classes that are considered valid when OpenAM performs Object deserialisation operations. The defaults should work for most installations. (property name: openam.deserialisation.classes.whitelist)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.encryption" : {
"title" : "Encryption",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"am.encryption.pwd" : {
"title" : "Password Encryption Key",
"type" : "object",
"propertyOrder" : 0,
"description" : "The encryption key value for decrypting passwords stored in the Service Management System configuration. (property name: am.encryption.pwd)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.security.encryptor" : {
"title" : "Encryption class",
"type" : "object",
"propertyOrder" : 1,
"description" : "The default encryption class. (property name: com.iplanet.security.encryptor)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.security.SecureRandomFactoryImpl" : {
"title" : "Secure Random Factory Class",
"type" : "object",
"propertyOrder" : 2,
"description" : "This property is used for specifying SecureRandomFactory class. Available values for this property are com.iplanet.am.util.JSSSecureRandomFactoryImpl that is using JSS and com.iplanet.am.util.SecureRandomFactoryImpl that is using pure Java only. (property name: com.iplanet.security.SecureRandomFactoryImpl)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.validation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.services.comm.server.pllrequest.maxContentLength" : {
"title" : "Platform Low Level Comm. Max. Content Length",
"type" : "object",
"propertyOrder" : 0,
"description" : "Maximum content-length for an HttpRequest. (property name: com.iplanet.services.comm.server.pllrequest.maxContentLength)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.clientIPCheckEnabled" : {
"title" : "Client IP Address Check",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies whether or not the IP address of the client is checked in all single sign on token creations or validations. (property name: com.iplanet.am.clientIPCheckEnabled)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.cookie" : {
"title" : "Cookie",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.cookie.name" : {
"title" : "Cookie Name",
"type" : "object",
"propertyOrder" : 0,
"description" : "The cookie name used by Authentication Service to set the valid session handler ID. This name is used to retrieve the valid session information. (property name: com.iplanet.am.cookie.name)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.cookie.secure" : {
"title" : "Secure Cookie",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies whether to set cookie in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. (property name: com.iplanet.am.cookie.secure)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.cookie.encode" : {
"title" : "Encode Cookie Value",
"type" : "object",
"propertyOrder" : 2,
"description" : "Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.securitykey" : {
"title" : "Key Store",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.identity.saml.xmlsig.keystore" : {
"title" : "Keystore File",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.storetype" : {
"title" : "Keystore Type",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the keystore type. (property name: com.sun.identity.saml.xmlsig.storetype)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.storepass" : {
"title" : "Keystore Password File",
"type" : "object",
"propertyOrder" : 2,
"description" : "Specifies the location of the file that contains the password used to access the keystore file. (property name: com.sun.identity.saml.xmlsig.storepass)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.keypass" : {
"title" : "Private Key Password File",
"type" : "object",
"propertyOrder" : 3,
"description" : "Specifies the location of the file that contains the password used to protect the private key of a generated key pair. (property name: com.sun.identity.saml.xmlsig.keypass)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.saml.xmlsig.certalias" : {
"title" : "Certificate Alias",
"type" : "object",
"propertyOrder" : 4,
"description" : "(property name: com.sun.identity.saml.xmlsig.certalias)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.crlcache" : {
"title" : "Certificate Revocation List Caching",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"com.sun.identity.crl.cache.directory.host" : {
"title" : "LDAP server host name",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.port" : {
"title" : "LDAP server port number",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.ssl" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.user" : {
"title" : "LDAP server bind user name",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.password" : {
"title" : "LDAP server bind password",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.searchlocs" : {
"title" : "LDAP search base DN",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.crl.cache.directory.searchattr" : {
"title" : "Search Attributes",
"type" : "object",
"propertyOrder" : 6,
"description" : "Any DN component of issuer's subjectDN can be used to retrieve CRL from local LDAP server. It is single value string, like, \"cn\". All Root CA need to use the same search attribute.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.ocsp.check" : {
"title" : "Online Certificate Status Protocol Check",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"com.sun.identity.authentication.ocspCheck" : {
"title" : "Check Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.authentication.ocsp.responder.url" : {
"title" : "Responder URL",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.identity.authentication.ocsp.responder.nickname" : {
"title" : "Certificate Nickname",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.deserialisationwhitelist" : {
"title" : "Object Deserialisation Class Whitelist",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"openam.deserialisation.classes.whitelist" : {
"title" : "Whitelist",
"type" : "object",
"propertyOrder" : 0,
"description" : "The list of classes that are considered valid when OpenAM performs Object deserialisation operations. The defaults should work for most installations. (property name: openam.deserialisation.classes.whitelist)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
/global-config/servers/{serverName}/properties/session
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.sessionthresholds" : {
"title" : "Session Limits",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.openam.session.service.access.persistence.caching.maxsize" : {
"title" : "Maximum Session Cache Size",
"type" : "object",
"propertyOrder" : 0,
"description" : "The maximum number of sessions to cache in the per-server internal session cache. (property name: org.forgerock.openam.session.service.access.persistence.caching.maxsize)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.session.invalidsessionmaxtime" : {
"title" : "Invalidate Session Max Time",
"type" : "object",
"propertyOrder" : 1,
"description" : "Duration in minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file. (property name: com.iplanet.am.session.invalidsessionmaxtime)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sessionlogging" : {
"title" : "Statistics",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.stats.interval" : {
"title" : "Logging Interval (in seconds)",
"type" : "object",
"propertyOrder" : 0,
"description" : "Number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. (property name: com.iplanet.am.stats.interval)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.services.stats.state" : {
"title" : "State",
"type" : "object",
"propertyOrder" : 1,
"description" : "Statistics state 'file' will write to a file under the specified directory, and 'console' will write into webserver log files. (property name: com.iplanet.services.stats.state)",
"properties" : {
"value" : {
"enum" : [ "off", "file", "console" ],
"options" : {
"enum_titles" : [ "Off", "File", "Console" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.services.stats.directory" : {
"title" : "Directory",
"type" : "object",
"propertyOrder" : 2,
"description" : "Directory where the statistic files will be created. Use forward slashes \"/\" to separate directories, not backslash \"\\\". Spaces in the file name are allowed for Windows. (property name: com.iplanet.services.stats.directory)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.am.session.enableHostLookUp" : {
"title" : "Enable Host Lookup",
"type" : "object",
"propertyOrder" : 3,
"description" : "Enables or disables host lookup during session logging. (property name: com.sun.am.session.enableHostLookUp)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sessionnotification" : {
"title" : "Notification",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.notification.threadpool.size" : {
"title" : "Notification Pool Size",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the size of the notification thread pool (total number of threads). (property name: com.iplanet.am.notification.threadpool.size)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.notification.threadpool.threshold" : {
"title" : "Notification Thread Pool Threshold",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the maximum task queue length for serving notification threads. (property name: com.iplanet.am.notification.threadpool.threshold)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sessionvalidation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.am.session.caseInsensitiveDN" : {
"title" : "Case Insensitive client DN comparison",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies if client distinguished name comparison is case insensitive/sensitive. (property name: com.sun.am.session.caseInsensitiveDN)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.header.sessionthresholds" : {
"title" : "Session Limits",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.openam.session.service.access.persistence.caching.maxsize" : {
"title" : "Maximum Session Cache Size",
"type" : "object",
"propertyOrder" : 0,
"description" : "The maximum number of sessions to cache in the per-server internal session cache. (property name: org.forgerock.openam.session.service.access.persistence.caching.maxsize)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.session.invalidsessionmaxtime" : {
"title" : "Invalidate Session Max Time",
"type" : "object",
"propertyOrder" : 1,
"description" : "Duration in minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file. (property name: com.iplanet.am.session.invalidsessionmaxtime)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sessionlogging" : {
"title" : "Statistics",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"com.iplanet.am.stats.interval" : {
"title" : "Logging Interval (in seconds)",
"type" : "object",
"propertyOrder" : 0,
"description" : "Number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. (property name: com.iplanet.am.stats.interval)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.services.stats.state" : {
"title" : "State",
"type" : "object",
"propertyOrder" : 1,
"description" : "Statistics state 'file' will write to a file under the specified directory, and 'console' will write into webserver log files. (property name: com.iplanet.services.stats.state)",
"properties" : {
"value" : {
"enum" : [ "off", "file", "console" ],
"options" : {
"enum_titles" : [ "Off", "File", "Console" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.services.stats.directory" : {
"title" : "Directory",
"type" : "object",
"propertyOrder" : 2,
"description" : "Directory where the statistic files will be created. Use forward slashes \"/\" to separate directories, not backslash \"\\\". Spaces in the file name are allowed for Windows. (property name: com.iplanet.services.stats.directory)",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.sun.am.session.enableHostLookUp" : {
"title" : "Enable Host Lookup",
"type" : "object",
"propertyOrder" : 3,
"description" : "Enables or disables host lookup during session logging. (property name: com.sun.am.session.enableHostLookUp)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sessionnotification" : {
"title" : "Notification",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"com.iplanet.am.notification.threadpool.size" : {
"title" : "Notification Pool Size",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies the size of the notification thread pool (total number of threads). (property name: com.iplanet.am.notification.threadpool.size)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"com.iplanet.am.notification.threadpool.threshold" : {
"title" : "Notification Thread Pool Threshold",
"type" : "object",
"propertyOrder" : 1,
"description" : "Specifies the maximum task queue length for serving notification threads. (property name: com.iplanet.am.notification.threadpool.threshold)",
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.header.sessionvalidation" : {
"title" : "Validation",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"com.sun.am.session.caseInsensitiveDN" : {
"title" : "Case Insensitive client DN comparison",
"type" : "object",
"propertyOrder" : 0,
"description" : "Specifies if client distinguished name comparison is case insensitive/sensitive. (property name: com.sun.am.session.caseInsensitiveDN)",
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
/global-config/servers/{serverName}/properties/uma
1.0
An object of property key-value pairs
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.resourcesets.store.common.section" : {
"title" : "Resource Sets Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.resourcesets.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.resourcesets.store.external.section" : {
"title" : "External Resource Sets Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.resourcesets.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.common.section" : {
"title" : "UMA Audit Store",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"org.forgerock.services.umaaudit.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.external.section" : {
"title" : "External UMA Audit Store Configuration",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"org.forgerock.services.umaaudit.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.common.section" : {
"title" : "Pending Requests Store",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.external.section" : {
"title" : "External Pending Requests Store Configuration",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.common.section" : {
"title" : "UMA Resource Set Labels Store",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"org.forgerock.services.uma.labels.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.external.section" : {
"title" : "External Resource Set Labels Store Configuration",
"type" : "object",
"propertyOrder" : 7,
"properties" : {
"org.forgerock.services.uma.labels.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amconfig.org.forgerock.services.resourcesets.store.common.section" : {
"title" : "Resource Sets Store",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"org.forgerock.services.resourcesets.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.resourcesets.store.external.section" : {
"title" : "External Resource Sets Store Configuration",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"org.forgerock.services.resourcesets.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.resourcesets.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.common.section" : {
"title" : "UMA Audit Store",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"org.forgerock.services.umaaudit.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.umaaudit.store.external.section" : {
"title" : "External UMA Audit Store Configuration",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"org.forgerock.services.umaaudit.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.umaaudit.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.common.section" : {
"title" : "Pending Requests Store",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.pendingrequests.store.external.section" : {
"title" : "External Pending Requests Store Configuration",
"type" : "object",
"propertyOrder" : 5,
"properties" : {
"org.forgerock.services.uma.pendingrequests.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.pendingrequests.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.common.section" : {
"title" : "UMA Resource Set Labels Store",
"type" : "object",
"propertyOrder" : 6,
"properties" : {
"org.forgerock.services.uma.labels.store.location" : {
"title" : "Store Mode",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"enum" : [ "default", "external" ],
"options" : {
"enum_titles" : [ "Default Token Store", "External Token Store" ]
},
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.root.suffix" : {
"title" : "Root Suffix",
"type" : "object",
"propertyOrder" : 1,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.max.connections" : {
"title" : "Max Connections",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
},
"amconfig.org.forgerock.services.uma.labels.store.external.section" : {
"title" : "External Resource Set Labels Store Configuration",
"type" : "object",
"propertyOrder" : 7,
"properties" : {
"org.forgerock.services.uma.labels.store.ssl.enabled" : {
"title" : "SSL/TLS Enabled",
"type" : "object",
"propertyOrder" : 0,
"properties" : {
"value" : {
"type" : "boolean",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.directory.name" : {
"title" : "Connection String(s)",
"type" : "object",
"propertyOrder" : 1,
"description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.loginid" : {
"title" : "Login Id",
"type" : "object",
"propertyOrder" : 2,
"properties" : {
"value" : {
"type" : "string",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.password" : {
"title" : "Password",
"type" : "object",
"propertyOrder" : 3,
"properties" : {
"value" : {
"type" : "string",
"required" : false,
"format" : "password"
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
},
"org.forgerock.services.uma.labels.store.heartbeat" : {
"title" : "Heartbeat",
"type" : "object",
"propertyOrder" : 4,
"properties" : {
"value" : {
"type" : "integer",
"required" : false
},
"inherited" : {
"type" : "boolean",
"required" : true
}
}
}
}
}
}
}
/global-config/services
1.0
Global and default configuration for services
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/RadiusServerService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"radiusThreadPoolKeepaliveSeconds" : {
"title" : "Thread Pool Keep-Alive Seconds",
"description" : "If the pool currently has more than Thread Pool Core Size threads, excess threads will be terminated if they have been idle for more than the Keep-Alive Seconds. Specify a value from <code>1</code> to <code>3600</code>.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"radiusServerPort" : {
"title" : "Listener Port",
"description" : "The UDP port on which each OpenAM server will listen for RADIUS Access-Request packets<br><br>According to the RADIUS Authentication Specification, <a href=\"http://tools.ietf.org/html/rfc2865\" target=\"_blank\">RFC 2865</a>, the officially assigned port number for RADIUS is <code>1812</code>. Specify a value from <code>1024</code> to <code>65535</code>. All client requests are handled through the same port.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"radiusThreadPoolQueueSize" : {
"title" : "Thread Pool Queue Size",
"description" : "The number of requests that can be queued for the pool before further requests will be silently dropped. See also \"Thread Pool Core Size\" and \"Thread Pool Max Size\". Specify a value from <code>1</code> to <code>1000</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"radiusThreadPoolCoreSize" : {
"title" : "Thread Pool Core Size",
"description" : "When a RADIUS request is received and fewer than <code>corePoolSize</code> threads are running, a new thread is created to handle the request, even if other worker threads are idle. If there are more than \"Thread Pool Core Size\" but less than \"Thread Pool Max Size\" threads running, a new thread will be created only if the queue is full. By setting \"Thread Pool Core Size\" and \"Thread Pool Max Size\" to the same value, you create a fixed-size thread pool. Specify a value from <code>1</code> to <code>100</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"radiusThreadPoolMaxSize" : {
"title" : "Thread Pool Max Size",
"description" : "Maximum number of threads allowed in the pool. See also \"Thread Pool Core Size\".",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"radiusListenerEnabled" : {
"title" : "Enabled",
"description" : "Enables the OpenAM RADIUS server to listen for requests on the listener port and to handle the requests.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"radiusThreadPoolKeepaliveSeconds" : {
"title" : "Thread Pool Keep-Alive Seconds",
"description" : "If the pool currently has more than Thread Pool Core Size threads, excess threads will be terminated if they have been idle for more than the Keep-Alive Seconds. Specify a value from <code>1</code> to <code>3600</code>.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"radiusServerPort" : {
"title" : "Listener Port",
"description" : "The UDP port on which each OpenAM server will listen for RADIUS Access-Request packets<br><br>According to the RADIUS Authentication Specification, <a href=\"http://tools.ietf.org/html/rfc2865\" target=\"_blank\">RFC 2865</a>, the officially assigned port number for RADIUS is <code>1812</code>. Specify a value from <code>1024</code> to <code>65535</code>. All client requests are handled through the same port.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"radiusThreadPoolQueueSize" : {
"title" : "Thread Pool Queue Size",
"description" : "The number of requests that can be queued for the pool before further requests will be silently dropped. See also \"Thread Pool Core Size\" and \"Thread Pool Max Size\". Specify a value from <code>1</code> to <code>1000</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"radiusThreadPoolCoreSize" : {
"title" : "Thread Pool Core Size",
"description" : "When a RADIUS request is received and fewer than <code>corePoolSize</code> threads are running, a new thread is created to handle the request, even if other worker threads are idle. If there are more than \"Thread Pool Core Size\" but less than \"Thread Pool Max Size\" threads running, a new thread will be created only if the queue is full. By setting \"Thread Pool Core Size\" and \"Thread Pool Max Size\" to the same value, you create a fixed-size thread pool. Specify a value from <code>1</code> to <code>100</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"radiusThreadPoolMaxSize" : {
"title" : "Thread Pool Max Size",
"description" : "Maximum number of threads allowed in the pool. See also \"Thread Pool Core Size\".",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"radiusListenerEnabled" : {
"title" : "Enabled",
"description" : "Enables the OpenAM RADIUS server to listen for requests on the listener port and to handle the requests.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/RadiusServerService/radiusClient
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"handlerClass" : {
"title" : "Handler Class",
"description" : "The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.<br><br>This class must implement the <code>com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler</code> interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientPacketsLogged" : {
"title" : "Log Packet Contents for this Client",
"description" : "Indicates if full packet contents should be dumped to the log.<br><br>When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "This secret shared between server and client for encryption of the user password.<br><br>This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet. A default value is generated for you but you can enter a custom value if desired.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"handlerConfig" : {
"title" : "Handler Class Configuration Properties",
"description" : "Properties needed by the handler class for its configuration.<br><br>These properties are provided to the handler via its <code>init</code> method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '<code>=</code>' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientIpAddress" : {
"title" : "Client IP Address",
"description" : "The IP Address of the client.<br><br><a href=\"http://tools.ietf.org/html/rfc2865#section-5.4\" target=\"_blank\">Section 5.4 of the RADIUS Authentication Specification, RFC 2865</a>, indicates that the source IP address of the Access-Request packet <em>MUST</em> be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.<p><p>This property should hold the source IP address of the client. This should match the value obtained from Java's <code>InetSocketAddress.getAddress().toString()</code> function.<p><p>To verify the value, send an Access-Request packet to OpenAM's RADIUS port and watch for a message stating: <code>\"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.\"</code>. The value used in this property should match the IP address returned in the single quotes.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"handlerClass" : {
"title" : "Handler Class",
"description" : "The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.<br><br>This class must implement the <code>com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler</code> interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientPacketsLogged" : {
"title" : "Log Packet Contents for this Client",
"description" : "Indicates if full packet contents should be dumped to the log.<br><br>When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "This secret shared between server and client for encryption of the user password.<br><br>This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet. A default value is generated for you but you can enter a custom value if desired.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"handlerConfig" : {
"title" : "Handler Class Configuration Properties",
"description" : "Properties needed by the handler class for its configuration.<br><br>These properties are provided to the handler via its <code>init</code> method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '<code>=</code>' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientIpAddress" : {
"title" : "Client IP Address",
"description" : "The IP Address of the client.<br><br><a href=\"http://tools.ietf.org/html/rfc2865#section-5.4\" target=\"_blank\">Section 5.4 of the RADIUS Authentication Specification, RFC 2865</a>, indicates that the source IP address of the Access-Request packet <em>MUST</em> be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.<p><p>This property should hold the source IP address of the client. This should match the value obtained from Java's <code>InetSocketAddress.getAddress().toString()</code> function.<p><p>To verify the value, send an Access-Request packet to OpenAM's RADIUS port and watch for a message stating: <code>\"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.\"</code>. The value used in this property should match the IP address returned in the single quotes.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/global-config/services/RadiusServerService/radiusClient/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"handlerClass" : {
"title" : "Handler Class",
"description" : "The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.<br><br>This class must implement the <code>com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler</code> interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientPacketsLogged" : {
"title" : "Log Packet Contents for this Client",
"description" : "Indicates if full packet contents should be dumped to the log.<br><br>When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "This secret shared between server and client for encryption of the user password.<br><br>This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet. A default value is generated for you but you can enter a custom value if desired.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"handlerConfig" : {
"title" : "Handler Class Configuration Properties",
"description" : "Properties needed by the handler class for its configuration.<br><br>These properties are provided to the handler via its <code>init</code> method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '<code>=</code>' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientIpAddress" : {
"title" : "Client IP Address",
"description" : "The IP Address of the client.<br><br><a href=\"http://tools.ietf.org/html/rfc2865#section-5.4\" target=\"_blank\">Section 5.4 of the RADIUS Authentication Specification, RFC 2865</a>, indicates that the source IP address of the Access-Request packet <em>MUST</em> be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.<p><p>This property should hold the source IP address of the client. This should match the value obtained from Java's <code>InetSocketAddress.getAddress().toString()</code> function.<p><p>To verify the value, send an Access-Request packet to OpenAM's RADIUS port and watch for a message stating: <code>\"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.\"</code>. The value used in this property should match the IP address returned in the single quotes.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"handlerClass" : {
"title" : "Handler Class",
"description" : "The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.<br><br>This class must implement the <code>com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler</code> interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientPacketsLogged" : {
"title" : "Log Packet Contents for this Client",
"description" : "Indicates if full packet contents should be dumped to the log.<br><br>When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "This secret shared between server and client for encryption of the user password.<br><br>This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet. A default value is generated for you but you can enter a custom value if desired.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"handlerConfig" : {
"title" : "Handler Class Configuration Properties",
"description" : "Properties needed by the handler class for its configuration.<br><br>These properties are provided to the handler via its <code>init</code> method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '<code>=</code>' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientIpAddress" : {
"title" : "Client IP Address",
"description" : "The IP Address of the client.<br><br><a href=\"http://tools.ietf.org/html/rfc2865#section-5.4\" target=\"_blank\">Section 5.4 of the RADIUS Authentication Specification, RFC 2865</a>, indicates that the source IP address of the Access-Request packet <em>MUST</em> be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.<p><p>This property should hold the source IP address of the client. This should match the value obtained from Java's <code>InetSocketAddress.getAddress().toString()</code> function.<p><p>To verify the value, send an Access-Request packet to OpenAM's RADIUS port and watch for a message stating: <code>\"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.\"</code>. The value used in this property should match the IP address returned in the single quotes.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"handlerClass" : {
"title" : "Handler Class",
"description" : "The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.<br><br>This class must implement the <code>com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler</code> interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientPacketsLogged" : {
"title" : "Log Packet Contents for this Client",
"description" : "Indicates if full packet contents should be dumped to the log.<br><br>When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "This secret shared between server and client for encryption of the user password.<br><br>This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet. A default value is generated for you but you can enter a custom value if desired.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"handlerConfig" : {
"title" : "Handler Class Configuration Properties",
"description" : "Properties needed by the handler class for its configuration.<br><br>These properties are provided to the handler via its <code>init</code> method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '<code>=</code>' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientIpAddress" : {
"title" : "Client IP Address",
"description" : "The IP Address of the client.<br><br><a href=\"http://tools.ietf.org/html/rfc2865#section-5.4\" target=\"_blank\">Section 5.4 of the RADIUS Authentication Specification, RFC 2865</a>, indicates that the source IP address of the Access-Request packet <em>MUST</em> be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.<p><p>This property should hold the source IP address of the client. This should match the value obtained from Java's <code>InetSocketAddress.getAddress().toString()</code> function.<p><p>To verify the value, send an Access-Request packet to OpenAM's RADIUS port and watch for a message stating: <code>\"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.\"</code>. The value used in this property should match the IP address returned in the single quotes.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"handlerClass" : {
"title" : "Handler Class",
"description" : "The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.<br><br>This class must implement the <code>com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler</code> interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientPacketsLogged" : {
"title" : "Log Packet Contents for this Client",
"description" : "Indicates if full packet contents should be dumped to the log.<br><br>When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "This secret shared between server and client for encryption of the user password.<br><br>This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet. A default value is generated for you but you can enter a custom value if desired.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"handlerConfig" : {
"title" : "Handler Class Configuration Properties",
"description" : "Properties needed by the handler class for its configuration.<br><br>These properties are provided to the handler via its <code>init</code> method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '<code>=</code>' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientIpAddress" : {
"title" : "Client IP Address",
"description" : "The IP Address of the client.<br><br><a href=\"http://tools.ietf.org/html/rfc2865#section-5.4\" target=\"_blank\">Section 5.4 of the RADIUS Authentication Specification, RFC 2865</a>, indicates that the source IP address of the Access-Request packet <em>MUST</em> be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.<p><p>This property should hold the source IP address of the client. This should match the value obtained from Java's <code>InetSocketAddress.getAddress().toString()</code> function.<p><p>To verify the value, send an Access-Request packet to OpenAM's RADIUS port and watch for a message stating: <code>\"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.\"</code>. The value used in this property should match the IP address returned in the single quotes.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/global-config/services/RemoteConsentService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"clientId" : {
"title" : "Client Name",
"description" : "The name used to identify this OAuth 2.0 remote consent service when referencedin other services.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"jwksUriAS" : {
"title" : "Authorization Server jwk_uri",
"description" : "The jwk_uri for retrieving the authorization server signing and encryption keys.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"consentResponseTimeLimit" : {
"title" : "Consent Response Time Limit (in minutes)",
"description" : "The time limit set on the consent response JWT before it expires, in minutes.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"signingKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "The alias of the key in the default keystore to use for signing.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"encryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "The alias of the key in the default keystore to use for encryption.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWK Store Cache Miss Cache Time (in minutes)",
"description" : "The length of time a cache miss is cached, in minutes.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"jwkStoreCacheTimeout" : {
"title" : "JWK Store Cache Timeout (in minutes)",
"description" : "The cache timeout for the JWK store of the authorization server, in minutes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"clientId" : {
"title" : "Client Name",
"description" : "The name used to identify this OAuth 2.0 remote consent service when referencedin other services.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"jwksUriAS" : {
"title" : "Authorization Server jwk_uri",
"description" : "The jwk_uri for retrieving the authorization server signing and encryption keys.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"consentResponseTimeLimit" : {
"title" : "Consent Response Time Limit (in minutes)",
"description" : "The time limit set on the consent response JWT before it expires, in minutes.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"signingKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "The alias of the key in the default keystore to use for signing.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"encryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "The alias of the key in the default keystore to use for encryption.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWK Store Cache Miss Cache Time (in minutes)",
"description" : "The length of time a cache miss is cached, in minutes.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"jwkStoreCacheTimeout" : {
"title" : "JWK Store Cache Timeout (in minutes)",
"description" : "The cache timeout for the JWK store of the authorization server, in minutes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/amSessionPropertyWhitelist
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"sessionPropertyWhitelist" : {
"title" : "Whitelisted Session Property Names",
"description" : "A list of properties that users may read, edit the value of, or delete from their session.<p><p> Adding properties to sessions can impact OpenAM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an OpenAM deployment in the following areas: <ul><li>OpenAM server memory</li><li>OpenDJ storage</li><li>OpenDJ replication</li></ul><p>Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"sessionPropertyWhitelist" : {
"title" : "Whitelisted Session Property Names",
"description" : "A list of properties that users may read, edit the value of, or delete from their session.<p><p> Adding properties to sessions can impact OpenAM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an OpenAM deployment in the following areas: <ul><li>OpenAM server memory</li><li>OpenDJ storage</li><li>OpenDJ replication</li></ul><p>Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/audit
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaults" : {
"properties" : {
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaults" : {
"properties" : {
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/audit/CSV
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/CSV/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/Elasticsearch
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
}
}
},
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
}
}
},
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/Elasticsearch/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
}
}
},
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
}
}
},
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
}
}
},
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
}
}
},
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/JDBC
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/global-config/services/audit/JDBC/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/global-config/services/audit/JMS
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
}
}
},
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
}
}
},
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/JMS/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
}
}
},
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
}
}
},
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
}
}
},
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
}
}
},
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/JSON
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/global-config/services/audit/JSON/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/global-config/services/audit/Splunk
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/global-config/services/audit/Splunk/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/global-config/services/audit/Syslog
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/audit/Syslog/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
}
}
}
/global-config/services/authenticatorOathService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticatorOATHSkippableName" : {
"title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
"description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"oathAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password will be encrypted.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticatorOATHSkippableName" : {
"title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
"description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"oathAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password will be encrypted.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/authenticatorPushService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushSkippableName" : {
"title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name",
"description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"pushAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushSkippableName" : {
"title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name",
"description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"pushAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/baseurl
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"source" : {
"title" : "Base URL Source",
"description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"extensionClassName" : {
"title" : "Extension class name",
"description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"contextPath" : {
"title" : "Context path",
"description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"fixedValue" : {
"title" : "Fixed value base URL",
"description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"source" : {
"title" : "Base URL Source",
"description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"extensionClassName" : {
"title" : "Extension class name",
"description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"contextPath" : {
"title" : "Context path",
"description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"fixedValue" : {
"title" : "Fixed value base URL",
"description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/dashboard
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"assignedDashboard" : {
"title" : "Available Dashboard Apps",
"description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"assignedDashboard" : {
"title" : "Available Dashboard Apps",
"description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/dashboard/instances
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"displayName" : {
"title" : "Dashboard Display Name",
"description" : "The application name that displays on the dashboard client.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"icfIdentifier" : {
"title" : "ICF Identifier",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"icon" : {
"title" : "Dashboard Icon",
"description" : "The icon name that will be displayed on the dashboard client identifying the application.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"className" : {
"title" : "Dashboard Class Name",
"description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"login" : {
"title" : "Dashboard Login",
"description" : "The URL that takes the user to the application.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Dashboard Name",
"description" : "The application name as it will appear to the administrator for configuring the dashboard.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"displayName" : {
"title" : "Dashboard Display Name",
"description" : "The application name that displays on the dashboard client.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"icfIdentifier" : {
"title" : "ICF Identifier",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"icon" : {
"title" : "Dashboard Icon",
"description" : "The icon name that will be displayed on the dashboard client identifying the application.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"className" : {
"title" : "Dashboard Class Name",
"description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"login" : {
"title" : "Dashboard Login",
"description" : "The URL that takes the user to the application.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Dashboard Name",
"description" : "The application name as it will appear to the administrator for configuring the dashboard.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
/global-config/services/dashboard/instances/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"displayName" : {
"title" : "Dashboard Display Name",
"description" : "The application name that displays on the dashboard client.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"icfIdentifier" : {
"title" : "ICF Identifier",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"icon" : {
"title" : "Dashboard Icon",
"description" : "The icon name that will be displayed on the dashboard client identifying the application.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"className" : {
"title" : "Dashboard Class Name",
"description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"login" : {
"title" : "Dashboard Login",
"description" : "The URL that takes the user to the application.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Dashboard Name",
"description" : "The application name as it will appear to the administrator for configuring the dashboard.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"displayName" : {
"title" : "Dashboard Display Name",
"description" : "The application name that displays on the dashboard client.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"icfIdentifier" : {
"title" : "ICF Identifier",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"icon" : {
"title" : "Dashboard Icon",
"description" : "The icon name that will be displayed on the dashboard client identifying the application.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"className" : {
"title" : "Dashboard Class Name",
"description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"login" : {
"title" : "Dashboard Login",
"description" : "The URL that takes the user to the application.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Dashboard Name",
"description" : "The application name as it will appear to the administrator for configuring the dashboard.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"displayName" : {
"title" : "Dashboard Display Name",
"description" : "The application name that displays on the dashboard client.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"icfIdentifier" : {
"title" : "ICF Identifier",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"icon" : {
"title" : "Dashboard Icon",
"description" : "The icon name that will be displayed on the dashboard client identifying the application.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"className" : {
"title" : "Dashboard Class Name",
"description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"login" : {
"title" : "Dashboard Login",
"description" : "The URL that takes the user to the application.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Dashboard Name",
"description" : "The application name as it will appear to the administrator for configuring the dashboard.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"displayName" : {
"title" : "Dashboard Display Name",
"description" : "The application name that displays on the dashboard client.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"icfIdentifier" : {
"title" : "ICF Identifier",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"icon" : {
"title" : "Dashboard Icon",
"description" : "The icon name that will be displayed on the dashboard client identifying the application.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"className" : {
"title" : "Dashboard Class Name",
"description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"login" : {
"title" : "Dashboard Login",
"description" : "The URL that takes the user to the application.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Dashboard Name",
"description" : "The application name as it will appear to the administrator for configuring the dashboard.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
/global-config/services/deviceIdService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"deviceIdSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"deviceIdAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"deviceIdSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"deviceIdAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/email
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"message" : {
"title" : "Email Content",
"description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"subject" : {
"title" : "Email Subject",
"description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"hostname" : {
"title" : "Mail Server Host Name",
"description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "smtp.example.com"
},
"sslState" : {
"title" : "Mail Server Secure Connection",
"description" : "Specifies whether to connect to the SMTP mail server using SSL.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"emailImplClassName" : {
"title" : "Email Message Implementation Class",
"description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"emailAddressAttribute" : {
"title" : "Email Attribute Name",
"description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "Specifies the password for the SMTP user name.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"from" : {
"title" : "Email From Address",
"description" : "Specifies the address from which to send email notifications.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "no-reply@example.com"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "Specifies the user name for the SMTP mail server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "username"
},
"port" : {
"title" : "Mail Server Host Port",
"description" : "Specifies the port number for the SMTP mail server.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"message" : {
"title" : "Email Content",
"description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"subject" : {
"title" : "Email Subject",
"description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"hostname" : {
"title" : "Mail Server Host Name",
"description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "smtp.example.com"
},
"sslState" : {
"title" : "Mail Server Secure Connection",
"description" : "Specifies whether to connect to the SMTP mail server using SSL.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"emailImplClassName" : {
"title" : "Email Message Implementation Class",
"description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"emailAddressAttribute" : {
"title" : "Email Attribute Name",
"description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "Specifies the password for the SMTP user name.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"from" : {
"title" : "Email From Address",
"description" : "Specifies the address from which to send email notifications.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "no-reply@example.com"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "Specifies the user name for the SMTP mail server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "username"
},
"port" : {
"title" : "Mail Server Host Port",
"description" : "Specifies the port number for the SMTP mail server.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/federation/common
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"implementationClasses" : {
"type" : "object",
"title" : "Implementation Classes",
"propertyOrder" : 1,
"properties" : {
"keyProviderClass" : {
"title" : "KeyProvider SPI implementation class",
"description" : "The Federation system uses this class to provide access to the underlying Java keystore.<br><br>The default implementation uses the Java Cryptographic Engine to provide access to the Java keystore. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.KeyProvider</code> interface.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"sessionProviderClass" : {
"title" : "SessionProvider SPI implementation class",
"description" : "The Federation system uses this class to interface with the session service.<br><br>The default implementation uses the standard authentication and SSO APIs to access the session service. A custom implementation must implement the <code>com.sun.identity.plugin.session.SessionProvider</code> interface.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"signatureProviderClass" : {
"title" : "SignatureProvider SPI implementation class",
"description" : "The Federation system uses this class to digitally sign SAML documents.<br><br>The default implementation uses the XERCES APIs to sign the documents. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.SignatureProvider</code> interface.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"configurationClass" : {
"title" : "ConfigurationInstance SPI implementation class",
"description" : "The Federation system uses this class to fetch service configuration.<br><br>The default implementation uses the SMS APIs to access service configuration. A custom implementation must implement the <code>com.sun.identity.plugin.configuration.ConfigurationInstance</code> interface.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"datastoreClass" : {
"title" : "Datastore SPI implementation class",
"description" : "The Federation system uses this class to get/set user profile attributes.<br><br>The default implementation uses the Identity repository APIs to access user profile attributes. A custom implementation must implement the <code>com.sun.identity.plugin.datastore.DataStoreProvider</code> interface. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"loggerClass" : {
"title" : "Logger SPI implementation class",
"description" : "The Federation system uses this class to record log entries.<br><br>The default implementation uses the Logging APIs to record log entries. A custom implementation must implement the <code>com.sun.identity.plugin.log.Logger</code> interface.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"passwordDecoderClass" : {
"title" : "PasswordDecoder SPI implementation class",
"description" : "The Federation system uses this class to decode password encoded by OpenAM.<br><br>The default implementation uses the internal OpenAM decryption API to decode passwords. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.PasswordDecoder</code> interface.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
},
"montoring" : {
"type" : "object",
"title" : "Monitoring",
"propertyOrder" : 3,
"properties" : {
"monitoringSaml2Class" : {
"title" : "Monitoring Provider Class for SAML2",
"description" : "The SAML2 engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML2Svc</code> interface.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"monitoringSaml1Class" : {
"title" : "Monitoring Provider Class for SAML1",
"description" : "The SAMLv1 engine uses this class to gain access to the monitoring system<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML1Svc</code> interface.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"monitoringIdffClass" : {
"title" : "Monitoring Provider Class for ID-FF",
"description" : "The ID-FF engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonIDFFSvc</code> interface.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"monitoringAgentClass" : {
"title" : "Monitoring Agent Provider Class",
"description" : "The Federation system uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonAgent</code> interface.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"samlErrorPageHttpBinding" : {
"title" : "SAML Error Page HTTP Binding",
"description" : "The possible values are HTTP-Redirect or HTTP-POST.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"maxContentLength" : {
"title" : "Maximum allowed content length",
"description" : "The maximum content length allowed in federation communications, in bytes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"certificateChecking" : {
"title" : "Check presence of certificates",
"description" : "Enable checking of certificates against local copy<br><br>Whether to verify that the partner's signing certificate included in the Federation XML document is the same as the one stored in the said partner's meta data.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"samlErrorPageUrl" : {
"title" : "SAML Error Page URL",
"description" : "OpenAM redirects users here when an error occurs in the SAML2 engine.<br><br>Both relative and absolute URLs are supported. Users are redirected to an absolute URL using the configured HTTP Binding whereas relative URLs are displayed within the request.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"algorithms" : {
"type" : "object",
"title" : "Algorithms",
"propertyOrder" : 2,
"properties" : {
"QuerySignatureAlgorithmDSA" : {
"title" : "Query String signature algorithm (DSA)",
"description" : "The default signature algorithm to use in case of DSA keys.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"DigestAlgorithm" : {
"title" : "XML digest algorithm",
"description" : "The default digest algorithm to use in signing XML.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"canonicalizationAlgorithm" : {
"title" : "XML canonicalization algorithm",
"description" : "The algorithm used to canonicalize XML documents.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"QuerySignatureAlgorithmRSA" : {
"title" : "Query String signature algorithm (RSA)",
"description" : "The default signature algorithm to use in case of RSA keys.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"signatureAlgorithm" : {
"title" : "XML signature algorithm",
"description" : "The algorithm used to sign XML documents.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"transformationAlgorithm" : {
"title" : "XML transformation algorithm",
"description" : "The algorithm used to transform XML documents.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"QuerySignatureAlgorithmEC" : {
"title" : "Query String signature algorithm (EC)",
"description" : "The default signature algorithm to use in case of EC keys.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"implementationClasses" : {
"type" : "object",
"title" : "Implementation Classes",
"propertyOrder" : 1,
"properties" : {
"keyProviderClass" : {
"title" : "KeyProvider SPI implementation class",
"description" : "The Federation system uses this class to provide access to the underlying Java keystore.<br><br>The default implementation uses the Java Cryptographic Engine to provide access to the Java keystore. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.KeyProvider</code> interface.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"sessionProviderClass" : {
"title" : "SessionProvider SPI implementation class",
"description" : "The Federation system uses this class to interface with the session service.<br><br>The default implementation uses the standard authentication and SSO APIs to access the session service. A custom implementation must implement the <code>com.sun.identity.plugin.session.SessionProvider</code> interface.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"signatureProviderClass" : {
"title" : "SignatureProvider SPI implementation class",
"description" : "The Federation system uses this class to digitally sign SAML documents.<br><br>The default implementation uses the XERCES APIs to sign the documents. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.SignatureProvider</code> interface.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"configurationClass" : {
"title" : "ConfigurationInstance SPI implementation class",
"description" : "The Federation system uses this class to fetch service configuration.<br><br>The default implementation uses the SMS APIs to access service configuration. A custom implementation must implement the <code>com.sun.identity.plugin.configuration.ConfigurationInstance</code> interface.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"datastoreClass" : {
"title" : "Datastore SPI implementation class",
"description" : "The Federation system uses this class to get/set user profile attributes.<br><br>The default implementation uses the Identity repository APIs to access user profile attributes. A custom implementation must implement the <code>com.sun.identity.plugin.datastore.DataStoreProvider</code> interface. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"loggerClass" : {
"title" : "Logger SPI implementation class",
"description" : "The Federation system uses this class to record log entries.<br><br>The default implementation uses the Logging APIs to record log entries. A custom implementation must implement the <code>com.sun.identity.plugin.log.Logger</code> interface.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"passwordDecoderClass" : {
"title" : "PasswordDecoder SPI implementation class",
"description" : "The Federation system uses this class to decode password encoded by OpenAM.<br><br>The default implementation uses the internal OpenAM decryption API to decode passwords. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.PasswordDecoder</code> interface.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
},
"montoring" : {
"type" : "object",
"title" : "Monitoring",
"propertyOrder" : 3,
"properties" : {
"monitoringSaml2Class" : {
"title" : "Monitoring Provider Class for SAML2",
"description" : "The SAML2 engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML2Svc</code> interface.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"monitoringSaml1Class" : {
"title" : "Monitoring Provider Class for SAML1",
"description" : "The SAMLv1 engine uses this class to gain access to the monitoring system<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML1Svc</code> interface.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"monitoringIdffClass" : {
"title" : "Monitoring Provider Class for ID-FF",
"description" : "The ID-FF engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonIDFFSvc</code> interface.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"monitoringAgentClass" : {
"title" : "Monitoring Agent Provider Class",
"description" : "The Federation system uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonAgent</code> interface.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
},
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"samlErrorPageHttpBinding" : {
"title" : "SAML Error Page HTTP Binding",
"description" : "The possible values are HTTP-Redirect or HTTP-POST.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"maxContentLength" : {
"title" : "Maximum allowed content length",
"description" : "The maximum content length allowed in federation communications, in bytes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"certificateChecking" : {
"title" : "Check presence of certificates",
"description" : "Enable checking of certificates against local copy<br><br>Whether to verify that the partner's signing certificate included in the Federation XML document is the same as the one stored in the said partner's meta data.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"samlErrorPageUrl" : {
"title" : "SAML Error Page URL",
"description" : "OpenAM redirects users here when an error occurs in the SAML2 engine.<br><br>Both relative and absolute URLs are supported. Users are redirected to an absolute URL using the configured HTTP Binding whereas relative URLs are displayed within the request.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"algorithms" : {
"type" : "object",
"title" : "Algorithms",
"propertyOrder" : 2,
"properties" : {
"QuerySignatureAlgorithmDSA" : {
"title" : "Query String signature algorithm (DSA)",
"description" : "The default signature algorithm to use in case of DSA keys.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"DigestAlgorithm" : {
"title" : "XML digest algorithm",
"description" : "The default digest algorithm to use in signing XML.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"canonicalizationAlgorithm" : {
"title" : "XML canonicalization algorithm",
"description" : "The algorithm used to canonicalize XML documents.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"QuerySignatureAlgorithmRSA" : {
"title" : "Query String signature algorithm (RSA)",
"description" : "The default signature algorithm to use in case of RSA keys.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"signatureAlgorithm" : {
"title" : "XML signature algorithm",
"description" : "The algorithm used to sign XML documents.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"transformationAlgorithm" : {
"title" : "XML transformation algorithm",
"description" : "The algorithm used to transform XML documents.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"QuerySignatureAlgorithmEC" : {
"title" : "Query String signature algorithm (EC)",
"description" : "The default signature algorithm to use in case of EC keys.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/federation/multi
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"singleLogoutHandlerList" : {
"title" : "Single Logout Handler List",
"description" : "List of Logout handlers for each supported federation protocol<br><br>The multi-federation protocol engine supports Single Logout. Each federation protocol requires a different single logout handler. Logout handler must implement the <code>com.sun.identity.multiprotocol.SingleLogoutHandler</code> interface.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"singleLogoutHandlerList" : {
"title" : "Single Logout Handler List",
"description" : "List of Logout handlers for each supported federation protocol<br><br>The multi-federation protocol engine supports Single Logout. Each federation protocol requires a different single logout handler. Logout handler must implement the <code>com.sun.identity.multiprotocol.SingleLogoutHandler</code> interface.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/federation/saml2soapbinding
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestHandlers" : {
"title" : "Request Handler List",
"description" : "List of handlers to deal with SAML v2.0 requests bound to SOAP. <p><p>The required format is: <code>key=<em>Meta Alias</em>|class=<em>Handler Class</em></code> <p><p>Set the <em>key</em> property for a request handler to the meta alias, and the <em>class</em> property to the name of the class that implements the handler.<p><p> For example: <code>key=/pdp|class=com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler</code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestHandlers" : {
"title" : "Request Handler List",
"description" : "List of handlers to deal with SAML v2.0 requests bound to SOAP. <p><p>The required format is: <code>key=<em>Meta Alias</em>|class=<em>Handler Class</em></code> <p><p>Set the <em>key</em> property for a request handler to the meta alias, and the <em>class</em> property to the name of the class that implements the handler.<p><p> For example: <code>key=/pdp|class=com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler</code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/globalization
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"charsetMappings" : {
"title" : "Charsets Supported by Each Locale",
"description" : "This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-identity-g11n-settings-charset-alias-mapping" : {
"title" : "Charset Aliases",
"description" : "Use this list to map between different character set names used in Java and in MIME.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaults" : {
"properties" : {
"commonNameFormats" : {
"title" : "Auto Generated Common Name Format",
"description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"charsetMappings" : {
"title" : "Charsets Supported by Each Locale",
"description" : "This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-identity-g11n-settings-charset-alias-mapping" : {
"title" : "Charset Aliases",
"description" : "Use this list to map between different character set names used in Java and in MIME.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaults" : {
"properties" : {
"commonNameFormats" : {
"title" : "Auto Generated Common Name Format",
"description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/id-repositories
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"sunIdRepoAttributeCombiner" : {
"title" : "Attribute Combiner plug-in",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeValidator" : {
"title" : "Attribute Validator Plug-in",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"sunIdRepoAttributeCombiner" : {
"title" : "Attribute Combiner plug-in",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeValidator" : {
"title" : "Attribute Validator Plug-in",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/id-repositories/SupportedIdentities
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/id-repositories/SupportedIdentities/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
/global-config/services/id-repositories/user
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"telephoneNumber" : {
"title" : "Telephone Number",
"propertyOrder" : 9700,
"required" : false,
"type" : "string"
},
"dn" : {
"title" : "DN",
"propertyOrder" : 9300,
"required" : false,
"type" : "string"
},
"inetUserStatus" : {
"title" : "User Status",
"propertyOrder" : 9900,
"required" : true,
"type" : "string"
},
"cn" : {
"title" : "Full Name",
"propertyOrder" : 9200,
"required" : false,
"type" : "string"
},
"employeeNumber" : {
"title" : "Employee Number",
"propertyOrder" : 9600,
"required" : false,
"type" : "string"
},
"iplanet-am-user-failure-url" : {
"title" : "Failure URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10200,
"required" : false,
"type" : "string"
},
"iplanet-am-user-alias-list" : {
"title" : "User Alias List",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"mail" : {
"title" : "Email Address",
"propertyOrder" : 9500,
"required" : false,
"type" : "string"
},
"postalAddress" : {
"title" : "Home Address",
"propertyOrder" : 9800,
"required" : false,
"type" : "string"
},
"sunIdentityMSISDNNumber" : {
"title" : "MSISDN Number",
"propertyOrder" : 10300,
"required" : false,
"type" : "string"
},
"userPassword" : {
"title" : "Password",
"propertyOrder" : 9400,
"required" : true,
"type" : "string",
"format" : "password"
},
"givenName" : {
"title" : "First Name",
"propertyOrder" : 9000,
"required" : false,
"type" : "string"
},
"iplanet-am-user-success-url" : {
"title" : "Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
},
"sn" : {
"title" : "Last Name",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"roles" : {
"title" : "Roles",
"propertyOrder" : 10400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"telephoneNumber" : {
"title" : "Telephone Number",
"propertyOrder" : 9700,
"required" : false,
"type" : "string"
},
"dn" : {
"title" : "DN",
"propertyOrder" : 9300,
"required" : false,
"type" : "string"
},
"inetUserStatus" : {
"title" : "User Status",
"propertyOrder" : 9900,
"required" : true,
"type" : "string"
},
"cn" : {
"title" : "Full Name",
"propertyOrder" : 9200,
"required" : false,
"type" : "string"
},
"employeeNumber" : {
"title" : "Employee Number",
"propertyOrder" : 9600,
"required" : false,
"type" : "string"
},
"iplanet-am-user-failure-url" : {
"title" : "Failure URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10200,
"required" : false,
"type" : "string"
},
"iplanet-am-user-alias-list" : {
"title" : "User Alias List",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"mail" : {
"title" : "Email Address",
"propertyOrder" : 9500,
"required" : false,
"type" : "string"
},
"postalAddress" : {
"title" : "Home Address",
"propertyOrder" : 9800,
"required" : false,
"type" : "string"
},
"sunIdentityMSISDNNumber" : {
"title" : "MSISDN Number",
"propertyOrder" : 10300,
"required" : false,
"type" : "string"
},
"userPassword" : {
"title" : "Password",
"propertyOrder" : 9400,
"required" : true,
"type" : "string",
"format" : "password"
},
"givenName" : {
"title" : "First Name",
"propertyOrder" : 9000,
"required" : false,
"type" : "string"
},
"iplanet-am-user-success-url" : {
"title" : "Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
},
"sn" : {
"title" : "Last Name",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"roles" : {
"title" : "Roles",
"propertyOrder" : 10400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/global-config/services/id-repositories/user/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"telephoneNumber" : {
"title" : "Telephone Number",
"propertyOrder" : 9700,
"required" : false,
"type" : "string"
},
"dn" : {
"title" : "DN",
"propertyOrder" : 9300,
"required" : false,
"type" : "string"
},
"inetUserStatus" : {
"title" : "User Status",
"propertyOrder" : 9900,
"required" : true,
"type" : "string"
},
"cn" : {
"title" : "Full Name",
"propertyOrder" : 9200,
"required" : false,
"type" : "string"
},
"employeeNumber" : {
"title" : "Employee Number",
"propertyOrder" : 9600,
"required" : false,
"type" : "string"
},
"iplanet-am-user-failure-url" : {
"title" : "Failure URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10200,
"required" : false,
"type" : "string"
},
"iplanet-am-user-alias-list" : {
"title" : "User Alias List",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"mail" : {
"title" : "Email Address",
"propertyOrder" : 9500,
"required" : false,
"type" : "string"
},
"postalAddress" : {
"title" : "Home Address",
"propertyOrder" : 9800,
"required" : false,
"type" : "string"
},
"sunIdentityMSISDNNumber" : {
"title" : "MSISDN Number",
"propertyOrder" : 10300,
"required" : false,
"type" : "string"
},
"userPassword" : {
"title" : "Password",
"propertyOrder" : 9400,
"required" : true,
"type" : "string",
"format" : "password"
},
"givenName" : {
"title" : "First Name",
"propertyOrder" : 9000,
"required" : false,
"type" : "string"
},
"iplanet-am-user-success-url" : {
"title" : "Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
},
"sn" : {
"title" : "Last Name",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"roles" : {
"title" : "Roles",
"propertyOrder" : 10400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"telephoneNumber" : {
"title" : "Telephone Number",
"propertyOrder" : 9700,
"required" : false,
"type" : "string"
},
"dn" : {
"title" : "DN",
"propertyOrder" : 9300,
"required" : false,
"type" : "string"
},
"inetUserStatus" : {
"title" : "User Status",
"propertyOrder" : 9900,
"required" : true,
"type" : "string"
},
"cn" : {
"title" : "Full Name",
"propertyOrder" : 9200,
"required" : false,
"type" : "string"
},
"employeeNumber" : {
"title" : "Employee Number",
"propertyOrder" : 9600,
"required" : false,
"type" : "string"
},
"iplanet-am-user-failure-url" : {
"title" : "Failure URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10200,
"required" : false,
"type" : "string"
},
"iplanet-am-user-alias-list" : {
"title" : "User Alias List",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"mail" : {
"title" : "Email Address",
"propertyOrder" : 9500,
"required" : false,
"type" : "string"
},
"postalAddress" : {
"title" : "Home Address",
"propertyOrder" : 9800,
"required" : false,
"type" : "string"
},
"sunIdentityMSISDNNumber" : {
"title" : "MSISDN Number",
"propertyOrder" : 10300,
"required" : false,
"type" : "string"
},
"userPassword" : {
"title" : "Password",
"propertyOrder" : 9400,
"required" : true,
"type" : "string",
"format" : "password"
},
"givenName" : {
"title" : "First Name",
"propertyOrder" : 9000,
"required" : false,
"type" : "string"
},
"iplanet-am-user-success-url" : {
"title" : "Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
},
"sn" : {
"title" : "Last Name",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"roles" : {
"title" : "Roles",
"propertyOrder" : 10400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"telephoneNumber" : {
"title" : "Telephone Number",
"propertyOrder" : 9700,
"required" : false,
"type" : "string"
},
"dn" : {
"title" : "DN",
"propertyOrder" : 9300,
"required" : false,
"type" : "string"
},
"inetUserStatus" : {
"title" : "User Status",
"propertyOrder" : 9900,
"required" : true,
"type" : "string"
},
"cn" : {
"title" : "Full Name",
"propertyOrder" : 9200,
"required" : false,
"type" : "string"
},
"employeeNumber" : {
"title" : "Employee Number",
"propertyOrder" : 9600,
"required" : false,
"type" : "string"
},
"iplanet-am-user-failure-url" : {
"title" : "Failure URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10200,
"required" : false,
"type" : "string"
},
"iplanet-am-user-alias-list" : {
"title" : "User Alias List",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"mail" : {
"title" : "Email Address",
"propertyOrder" : 9500,
"required" : false,
"type" : "string"
},
"postalAddress" : {
"title" : "Home Address",
"propertyOrder" : 9800,
"required" : false,
"type" : "string"
},
"sunIdentityMSISDNNumber" : {
"title" : "MSISDN Number",
"propertyOrder" : 10300,
"required" : false,
"type" : "string"
},
"userPassword" : {
"title" : "Password",
"propertyOrder" : 9400,
"required" : true,
"type" : "string",
"format" : "password"
},
"givenName" : {
"title" : "First Name",
"propertyOrder" : 9000,
"required" : false,
"type" : "string"
},
"iplanet-am-user-success-url" : {
"title" : "Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
},
"sn" : {
"title" : "Last Name",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"roles" : {
"title" : "Roles",
"propertyOrder" : 10400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"telephoneNumber" : {
"title" : "Telephone Number",
"propertyOrder" : 9700,
"required" : false,
"type" : "string"
},
"dn" : {
"title" : "DN",
"propertyOrder" : 9300,
"required" : false,
"type" : "string"
},
"inetUserStatus" : {
"title" : "User Status",
"propertyOrder" : 9900,
"required" : true,
"type" : "string"
},
"cn" : {
"title" : "Full Name",
"propertyOrder" : 9200,
"required" : false,
"type" : "string"
},
"employeeNumber" : {
"title" : "Employee Number",
"propertyOrder" : 9600,
"required" : false,
"type" : "string"
},
"iplanet-am-user-failure-url" : {
"title" : "Failure URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10200,
"required" : false,
"type" : "string"
},
"iplanet-am-user-alias-list" : {
"title" : "User Alias List",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"mail" : {
"title" : "Email Address",
"propertyOrder" : 9500,
"required" : false,
"type" : "string"
},
"postalAddress" : {
"title" : "Home Address",
"propertyOrder" : 9800,
"required" : false,
"type" : "string"
},
"sunIdentityMSISDNNumber" : {
"title" : "MSISDN Number",
"propertyOrder" : 10300,
"required" : false,
"type" : "string"
},
"userPassword" : {
"title" : "Password",
"propertyOrder" : 9400,
"required" : true,
"type" : "string",
"format" : "password"
},
"givenName" : {
"title" : "First Name",
"propertyOrder" : 9000,
"required" : false,
"type" : "string"
},
"iplanet-am-user-success-url" : {
"title" : "Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
},
"sn" : {
"title" : "Last Name",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"roles" : {
"title" : "Roles",
"propertyOrder" : 10400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/global-config/services/idm-integration
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"provisioningEncryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.",
"propertyOrder" : 2250,
"required" : true,
"type" : "string"
},
"idmDeploymentUrl" : {
"title" : "Deployment URL",
"description" : "URL of the IDM deployment.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string",
"exampleValue" : "https://openidm.example.com"
},
"provisioningSigningAlgorithm" : {
"title" : "Signing Algorithm",
"description" : "JWT signing algorithm.",
"propertyOrder" : 2260,
"required" : true,
"type" : "string"
},
"provisioningSigningKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.",
"propertyOrder" : 2240,
"required" : true,
"type" : "string"
},
"provisioningEncryptionAlgorithm" : {
"title" : "Encryption Algorithm",
"description" : "JWT encryption algorithm.",
"propertyOrder" : 2270,
"required" : true,
"type" : "string"
},
"provisioningEncryptionMethod" : {
"title" : "Encryption Method",
"description" : "JWT encryption method.",
"propertyOrder" : 2280,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"provisioningEncryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.",
"propertyOrder" : 2250,
"required" : true,
"type" : "string"
},
"idmDeploymentUrl" : {
"title" : "Deployment URL",
"description" : "URL of the IDM deployment.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string",
"exampleValue" : "https://openidm.example.com"
},
"provisioningSigningAlgorithm" : {
"title" : "Signing Algorithm",
"description" : "JWT signing algorithm.",
"propertyOrder" : 2260,
"required" : true,
"type" : "string"
},
"provisioningSigningKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.",
"propertyOrder" : 2240,
"required" : true,
"type" : "string"
},
"provisioningEncryptionAlgorithm" : {
"title" : "Encryption Algorithm",
"description" : "JWT encryption algorithm.",
"propertyOrder" : 2270,
"required" : true,
"type" : "string"
},
"provisioningEncryptionMethod" : {
"title" : "Encryption Method",
"description" : "JWT encryption method.",
"propertyOrder" : 2280,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/logging
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"file" : {
"type" : "object",
"title" : "File",
"propertyOrder" : 1,
"properties" : {
"suffix" : {
"title" : "Logfile Rotation Suffix",
"description" : "The name of the log files will be suffixed with the supplied value.<br><br>This field defines the log file suffix. If no suffix is provided, then the following default suffix format will be used: <code>-MM.dd.yy-kk.mm</code>. The suffix allows use of Date and Time patterns defined in <a href=\"http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html\"><code>SimpleDateFormat</code></a><p><p><i>Note:</i> This field is only used if the time based rotation is enabled.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"prefix" : {
"title" : "Logfile Rotation Prefix",
"description" : "The name of the log files will be prefixed with the supplied value.<br><br>This field defines the log file prefix. The prefix will be added to the name of all logfiles.<br/><br/><i>Note:</i> Only used when time-based log rotation is enabled.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log File Location",
"description" : "The path to the location of the log files<br><br>This property controls the location of the log files; the value of this property varies on whether File or DB logging is in use:<p><ul><li>File: The full pathname to the directory containing the log files.</li><li>DB: The JDBC URL to the database used to store the log file database.</li></ul>",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Logfile Rotation Interval",
"description" : "The rotation interval (in minutes).<br><br>The rotation interval determines the frequency of when the log files will be rotated. If the value is <code>-1</code>, then time based rotation is disabled and log file size based rotation is enabled.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"rotationEnabled" : {
"title" : "Log Rotation",
"description" : "Enable log rotation to cause new log files to be created when configured thresholds are reached, such as <i>Maximum Log Size</i> or <i>Logfile Rotation Interval</i>.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"numberHistoryFiles" : {
"title" : "Number of History Files",
"description" : "Sets the number of history files for each log that OpenAM keeps, including time-based histories.<p><p>The previously live file is moved and is included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted.<p><p>For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"maxFileSize" : {
"title" : "Maximum Log Size",
"description" : "Maximum size of a log file, in bytes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"buffering" : {
"title" : "Time Buffering",
"description" : "Enable or Disable log buffering<br><br>When enabled OpenAM holds all log records in a memory buffer that it periodically flush to the repository. The period is set in the <i>Buffer Time</i> property.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"bufferSize" : {
"title" : "Buffer Size",
"description" : "The number of log records held in memory before the log records will be flushed to the logfile or the database.",
"propertyOrder" : 2700,
"required" : true,
"type" : "integer"
},
"type" : {
"title" : "Logging Type",
"description" : "Specifies whether to log to a database, Syslog, or to the filing system.<br><br>If you choose database then be sure to set the connection attributes correctly, including the JDBC driver to use.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"fields" : {
"title" : "Configurable Log Fields",
"description" : "Controls the fields that are logged by OpenAM.<br><br>This property is the list of fields that are logged by default. Administrators can choose to limit the information logged by OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Log Status",
"description" : "Enable the OpenAM logging system.<p><p>OpenAM supports two Audit Logging Services: the legacy Logging Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13.5, and a new common REST-based Audit Logging Service available from OpenAM 13.5.<p><p>The legacy Logging Service will be deprecated in a future release.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"bufferTime" : {
"title" : "Buffer Time",
"description" : "The maximum time (in seconds) OpenAM will hold log records in memory before flushing to the underlying repository.",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"filesPerKeystore" : {
"title" : "Number of Files per Archive",
"description" : "Controls the number of logs files that will be archived by the secure logging system.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"verifyPeriod" : {
"title" : "Log Verification Frequency",
"description" : "The frequency (in seconds) that OpenAM verifies security of the log files.<br><br>When secure logging is enabled, this is the period that OpenAM will check the integrity of the log files.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"certificateStore" : {
"title" : "Logging Certificate Store Location",
"description" : "The path to the Java keystore containing the logging system certificate.<br><br>The secure logging system will use the certificate alias of <code>Logger</code> to locate the certificate in the specified keystore.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"signaturePeriod" : {
"title" : "Log Signature Time",
"description" : "The frequency (in seconds) that OpenAM will digitally sign the log records.<br><br>When secure logging is enabled, this is the period that OpenAM will digitally signed the contents of the log files. The log signatures form the basis of the log file integrity checking.",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"resolveHostName" : {
"title" : "Log Record Resolve Host Name",
"description" : "Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records.<br><br><i>Note:</i> Enabling this functionality will increase the load of the logging system and the OpenAM host must have DNS configured. ",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"signingAlgorithm" : {
"title" : "Secure Logging Signing Algorithm ",
"description" : "Determines the algorithm used to digitally sign the log records.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"jdkLoggingLevel" : {
"title" : "Logging Level",
"description" : "Control the level of JDK logging within OpenAM. ",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"security" : {
"title" : "Secure Logging",
"description" : "Enable or Disable secure logging.<br><br>Enabling this setting will cause OpenAM to digitally sign and verify the contents of the log files to help prevent and detect log file tampering. A certificate must be configured for this functionality to be enabled. ",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
}
}
},
"database" : {
"type" : "object",
"title" : "Database",
"propertyOrder" : 2,
"properties" : {
"password" : {
"title" : "Database User Password",
"description" : "When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string",
"format" : "password"
},
"user" : {
"title" : "Database User Name",
"description" : "When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"driver" : {
"title" : "Database Driver Name",
"description" : "When logging to a database, set this to the class name of the JDBC driver used to connect to the database.<br><br>The default is for Oracle. OpenAM also works with the MySQL database driver.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"databaseFailureMemoryBufferSize" : {
"title" : "DB Failure Memory Buffer Size",
"description" : "Max number of log records held in memory if DB logging fails.<br><br>This is the maximum number of log records that will be held in memory if the database is unavailable. When the buffer is full, new log records cause the oldest record in the buffer to be cleared. OpenAM monitoring records the number of log entries cleared when the database was unavailable.<br/><br/>If the value of this property is less than that of the <i>Buffer Size</i> then the buffer size value will take precedence. ",
"propertyOrder" : 2800,
"required" : true,
"type" : "integer"
},
"maxRecords" : {
"title" : "Maximum Number of Records",
"description" : "The maximum number of records read from the logs via the Logging API",
"propertyOrder" : 2500,
"required" : true,
"type" : "integer"
}
}
},
"syslog" : {
"type" : "object",
"title" : "Syslog",
"propertyOrder" : 3,
"properties" : {
"facility" : {
"title" : "Syslog facility",
"description" : "Syslog uses the facility level to determine the type of program that is logging the message.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"protocol" : {
"title" : "Syslog transport protocol",
"description" : "The protocol to use to connect to the syslog server.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"timeout" : {
"title" : "Syslog connection timeout",
"description" : "The amount of time to wait when attempting to connect to the syslog server before reporting a failure, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Syslog server host",
"description" : "The URL or IP address of the syslog server, for example <code>http://mysyslog.example.com</code>, or <code>localhost</code>.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Syslog server port",
"description" : "The port number the syslog server is configured to listen to.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"file" : {
"type" : "object",
"title" : "File",
"propertyOrder" : 1,
"properties" : {
"suffix" : {
"title" : "Logfile Rotation Suffix",
"description" : "The name of the log files will be suffixed with the supplied value.<br><br>This field defines the log file suffix. If no suffix is provided, then the following default suffix format will be used: <code>-MM.dd.yy-kk.mm</code>. The suffix allows use of Date and Time patterns defined in <a href=\"http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html\"><code>SimpleDateFormat</code></a><p><p><i>Note:</i> This field is only used if the time based rotation is enabled.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"prefix" : {
"title" : "Logfile Rotation Prefix",
"description" : "The name of the log files will be prefixed with the supplied value.<br><br>This field defines the log file prefix. The prefix will be added to the name of all logfiles.<br/><br/><i>Note:</i> Only used when time-based log rotation is enabled.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log File Location",
"description" : "The path to the location of the log files<br><br>This property controls the location of the log files; the value of this property varies on whether File or DB logging is in use:<p><ul><li>File: The full pathname to the directory containing the log files.</li><li>DB: The JDBC URL to the database used to store the log file database.</li></ul>",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationInterval" : {
"title" : "Logfile Rotation Interval",
"description" : "The rotation interval (in minutes).<br><br>The rotation interval determines the frequency of when the log files will be rotated. If the value is <code>-1</code>, then time based rotation is disabled and log file size based rotation is enabled.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"rotationEnabled" : {
"title" : "Log Rotation",
"description" : "Enable log rotation to cause new log files to be created when configured thresholds are reached, such as <i>Maximum Log Size</i> or <i>Logfile Rotation Interval</i>.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"numberHistoryFiles" : {
"title" : "Number of History Files",
"description" : "Sets the number of history files for each log that OpenAM keeps, including time-based histories.<p><p>The previously live file is moved and is included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted.<p><p>For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"maxFileSize" : {
"title" : "Maximum Log Size",
"description" : "Maximum size of a log file, in bytes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"buffering" : {
"title" : "Time Buffering",
"description" : "Enable or Disable log buffering<br><br>When enabled OpenAM holds all log records in a memory buffer that it periodically flush to the repository. The period is set in the <i>Buffer Time</i> property.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"bufferSize" : {
"title" : "Buffer Size",
"description" : "The number of log records held in memory before the log records will be flushed to the logfile or the database.",
"propertyOrder" : 2700,
"required" : true,
"type" : "integer"
},
"type" : {
"title" : "Logging Type",
"description" : "Specifies whether to log to a database, Syslog, or to the filing system.<br><br>If you choose database then be sure to set the connection attributes correctly, including the JDBC driver to use.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"fields" : {
"title" : "Configurable Log Fields",
"description" : "Controls the fields that are logged by OpenAM.<br><br>This property is the list of fields that are logged by default. Administrators can choose to limit the information logged by OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Log Status",
"description" : "Enable the OpenAM logging system.<p><p>OpenAM supports two Audit Logging Services: the legacy Logging Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13.5, and a new common REST-based Audit Logging Service available from OpenAM 13.5.<p><p>The legacy Logging Service will be deprecated in a future release.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"bufferTime" : {
"title" : "Buffer Time",
"description" : "The maximum time (in seconds) OpenAM will hold log records in memory before flushing to the underlying repository.",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"filesPerKeystore" : {
"title" : "Number of Files per Archive",
"description" : "Controls the number of logs files that will be archived by the secure logging system.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"verifyPeriod" : {
"title" : "Log Verification Frequency",
"description" : "The frequency (in seconds) that OpenAM verifies security of the log files.<br><br>When secure logging is enabled, this is the period that OpenAM will check the integrity of the log files.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"certificateStore" : {
"title" : "Logging Certificate Store Location",
"description" : "The path to the Java keystore containing the logging system certificate.<br><br>The secure logging system will use the certificate alias of <code>Logger</code> to locate the certificate in the specified keystore.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"signaturePeriod" : {
"title" : "Log Signature Time",
"description" : "The frequency (in seconds) that OpenAM will digitally sign the log records.<br><br>When secure logging is enabled, this is the period that OpenAM will digitally signed the contents of the log files. The log signatures form the basis of the log file integrity checking.",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"resolveHostName" : {
"title" : "Log Record Resolve Host Name",
"description" : "Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records.<br><br><i>Note:</i> Enabling this functionality will increase the load of the logging system and the OpenAM host must have DNS configured. ",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"signingAlgorithm" : {
"title" : "Secure Logging Signing Algorithm ",
"description" : "Determines the algorithm used to digitally sign the log records.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"jdkLoggingLevel" : {
"title" : "Logging Level",
"description" : "Control the level of JDK logging within OpenAM. ",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"security" : {
"title" : "Secure Logging",
"description" : "Enable or Disable secure logging.<br><br>Enabling this setting will cause OpenAM to digitally sign and verify the contents of the log files to help prevent and detect log file tampering. A certificate must be configured for this functionality to be enabled. ",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
}
}
},
"database" : {
"type" : "object",
"title" : "Database",
"propertyOrder" : 2,
"properties" : {
"password" : {
"title" : "Database User Password",
"description" : "When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string",
"format" : "password"
},
"user" : {
"title" : "Database User Name",
"description" : "When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"driver" : {
"title" : "Database Driver Name",
"description" : "When logging to a database, set this to the class name of the JDBC driver used to connect to the database.<br><br>The default is for Oracle. OpenAM also works with the MySQL database driver.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"databaseFailureMemoryBufferSize" : {
"title" : "DB Failure Memory Buffer Size",
"description" : "Max number of log records held in memory if DB logging fails.<br><br>This is the maximum number of log records that will be held in memory if the database is unavailable. When the buffer is full, new log records cause the oldest record in the buffer to be cleared. OpenAM monitoring records the number of log entries cleared when the database was unavailable.<br/><br/>If the value of this property is less than that of the <i>Buffer Size</i> then the buffer size value will take precedence. ",
"propertyOrder" : 2800,
"required" : true,
"type" : "integer"
},
"maxRecords" : {
"title" : "Maximum Number of Records",
"description" : "The maximum number of records read from the logs via the Logging API",
"propertyOrder" : 2500,
"required" : true,
"type" : "integer"
}
}
},
"syslog" : {
"type" : "object",
"title" : "Syslog",
"propertyOrder" : 3,
"properties" : {
"facility" : {
"title" : "Syslog facility",
"description" : "Syslog uses the facility level to determine the type of program that is logging the message.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"protocol" : {
"title" : "Syslog transport protocol",
"description" : "The protocol to use to connect to the syslog server.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"timeout" : {
"title" : "Syslog connection timeout",
"description" : "The amount of time to wait when attempting to connect to the syslog server before reporting a failure, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Syslog server host",
"description" : "The URL or IP address of the syslog server, for example <code>http://mysyslog.example.com</code>, or <code>localhost</code>.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Syslog server port",
"description" : "The port number the syslog server is configured to listen to.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/monitoring
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authfilePath" : {
"title" : "Monitoring HTTP interface authentication file path",
"description" : "Path to the monitoring system authentication file<br><br>The <code>openam_mon_auth</code> file contains the username and password of the account used to protect the monitoring interfaces. The default username is <code>demo</code> with a password of <code>changeit</code>. Use the <code>ampassword</code> command to encrypt a new password.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"snmpPort" : {
"title" : "Monitoring SNMP Port",
"description" : "Port number for the SNMP monitoring interface",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"rmiEnabled" : {
"title" : "Monitoring RMI interface status",
"description" : "Enable / Disable the JMX access to the monitoring system",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"snmpEnabled" : {
"title" : "Monitoring SNMP interface status",
"description" : "Enable / Disable the SNMP access to the monitoring system",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"enabled" : {
"title" : "Monitoring Status",
"description" : "Enable / Disable the monitoring system",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"httpEnabled" : {
"title" : "Monitoring HTTP interface status",
"description" : "Enable / Disable the HTTP access to the monitoring system ",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"httpPort" : {
"title" : "Monitoring HTTP Port",
"description" : "Port number for the HTTP monitoring interface",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"rmiPort" : {
"title" : "Monitoring RMI Port",
"description" : "Port number for the JMX monitoring interface",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"policyHistoryWindowSize" : {
"title" : "Policy evaluation monitoring history size",
"description" : "Size of the window of most recent policy evaluations to record to expose via monitoring system. Valid range is 100 - 1000000.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"sessionHistoryWindowSize" : {
"title" : "Session monitoring history size",
"description" : "Size of the window of most recent session operations to record to expose via monitoring system. Valid range is 100 - 1000000.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authfilePath" : {
"title" : "Monitoring HTTP interface authentication file path",
"description" : "Path to the monitoring system authentication file<br><br>The <code>openam_mon_auth</code> file contains the username and password of the account used to protect the monitoring interfaces. The default username is <code>demo</code> with a password of <code>changeit</code>. Use the <code>ampassword</code> command to encrypt a new password.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"snmpPort" : {
"title" : "Monitoring SNMP Port",
"description" : "Port number for the SNMP monitoring interface",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"rmiEnabled" : {
"title" : "Monitoring RMI interface status",
"description" : "Enable / Disable the JMX access to the monitoring system",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"snmpEnabled" : {
"title" : "Monitoring SNMP interface status",
"description" : "Enable / Disable the SNMP access to the monitoring system",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"enabled" : {
"title" : "Monitoring Status",
"description" : "Enable / Disable the monitoring system",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"httpEnabled" : {
"title" : "Monitoring HTTP interface status",
"description" : "Enable / Disable the HTTP access to the monitoring system ",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"httpPort" : {
"title" : "Monitoring HTTP Port",
"description" : "Port number for the HTTP monitoring interface",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"rmiPort" : {
"title" : "Monitoring RMI Port",
"description" : "Port number for the JMX monitoring interface",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"policyHistoryWindowSize" : {
"title" : "Policy evaluation monitoring history size",
"description" : "Size of the window of most recent policy evaluations to record to expose via monitoring system. Valid range is 100 - 1000000.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"sessionHistoryWindowSize" : {
"title" : "Session monitoring history size",
"description" : "Size of the window of most recent session operations to record to expose via monitoring system. Valid range is 100 - 1000000.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/monitoring/crest
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
/global-config/services/monitoring/crest/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
/global-config/services/monitoring/graphite
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"host" : {
"title" : "Hostname",
"description" : "The hostname of the Graphite server to which metrics should be published.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Port",
"description" : "The port of the Graphite server to which metrics should be published.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"frequency" : {
"title" : "Frequency",
"description" : "The frequency (in seconds) at which metrics should be published.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"host" : {
"title" : "Hostname",
"description" : "The hostname of the Graphite server to which metrics should be published.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Port",
"description" : "The port of the Graphite server to which metrics should be published.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"frequency" : {
"title" : "Frequency",
"description" : "The frequency (in seconds) at which metrics should be published.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
/global-config/services/monitoring/graphite/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"host" : {
"title" : "Hostname",
"description" : "The hostname of the Graphite server to which metrics should be published.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Port",
"description" : "The port of the Graphite server to which metrics should be published.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"frequency" : {
"title" : "Frequency",
"description" : "The frequency (in seconds) at which metrics should be published.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"host" : {
"title" : "Hostname",
"description" : "The hostname of the Graphite server to which metrics should be published.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Port",
"description" : "The port of the Graphite server to which metrics should be published.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"frequency" : {
"title" : "Frequency",
"description" : "The frequency (in seconds) at which metrics should be published.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"host" : {
"title" : "Hostname",
"description" : "The hostname of the Graphite server to which metrics should be published.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Port",
"description" : "The port of the Graphite server to which metrics should be published.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"frequency" : {
"title" : "Frequency",
"description" : "The frequency (in seconds) at which metrics should be published.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"host" : {
"title" : "Hostname",
"description" : "The hostname of the Graphite server to which metrics should be published.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Port",
"description" : "The port of the Graphite server to which metrics should be published.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"frequency" : {
"title" : "Frequency",
"description" : "The frequency (in seconds) at which metrics should be published.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
/global-config/services/monitoring/prometheus
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"password" : {
"title" : "Password",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"password" : {
"title" : "Password",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
/global-config/services/monitoring/prometheus/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"password" : {
"title" : "Password",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"password" : {
"title" : "Password",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"password" : {
"title" : "Password",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"password" : {
"title" : "Password",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Username",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
/global-config/services/naming
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"federationConfig" : {
"type" : "object",
"title" : "Federation Configuration",
"propertyOrder" : 1,
"properties" : {
"samlSoapReceiverUrl" : {
"title" : "SAML SOAP Service URL",
"description" : "Specifies the SAML v1 SOAP service endpoint.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jaxrpcUrl" : {
"title" : "JAXRPC Endpoint URL",
"description" : "Specifies the JAXRPC endpoint URL used by the remote IDM/SMS APIs.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"samlAwareServletUrl" : {
"title" : "SAML Web Profile/Artifact Service URL",
"description" : "Specifies the SAML v1 endpoint.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"samlPostServletUrl" : {
"title" : "SAML Web Profile/POST Service URL",
"description" : "Specifies the SAML v1 Web Profile endpoint.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"samlAssertionManagerUrl" : {
"title" : "SAML Assertion Manager Service URL",
"description" : "Specifies the SAML v1 assertion service endpoint.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"sessionUrl" : {
"title" : "Session Service URL",
"description" : "Specifies the endpoint used by the session service.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"policyUrl" : {
"title" : "Policy Service URL",
"description" : "Specifies the endpoint used by the policy service.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"loggingUrl" : {
"title" : "Logging Service URL",
"description" : "Specifies the endpoint used by the logging service.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"profileUrl" : {
"title" : "Profile Service URL",
"description" : "Specifies the endpoint used by the profile service.<p><p>This attribute is deprecated.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authUrl" : {
"title" : "Authentication Service URL",
"description" : "Specifies the endpoint used by the authentication service.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"endpointConfig" : {
"type" : "object",
"title" : "Endpoint Configuration",
"propertyOrder" : 2,
"properties" : {
"securityTokenManagerUrl" : {
"title" : "Security Token Manager URL",
"description" : "Specifies the security token manager endpoint.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"federationAssertionManagerUrl" : {
"title" : "Federation Assertion Manager Service URL",
"description" : "Specifies the ID-FF assertion manager endpoint.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"jaxwsUrl" : {
"title" : "Identity Web Services Endpoint URL",
"description" : "Specifies the endpoint for the Identity WSDL services.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"stsMexUrl" : {
"title" : "Security Token Service MEX Endpoint URL",
"description" : "Specifies the STS MEX endpoint.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"stsUrl" : {
"title" : "Security Token Service Endpoint URL",
"description" : "Specifies the STS endpoint.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"idsvcsRestUrl" : {
"title" : "Identity REST Services Endpoint URL",
"description" : "Specifies the endpoint for the Identity REST services.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"federationConfig" : {
"type" : "object",
"title" : "Federation Configuration",
"propertyOrder" : 1,
"properties" : {
"samlSoapReceiverUrl" : {
"title" : "SAML SOAP Service URL",
"description" : "Specifies the SAML v1 SOAP service endpoint.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jaxrpcUrl" : {
"title" : "JAXRPC Endpoint URL",
"description" : "Specifies the JAXRPC endpoint URL used by the remote IDM/SMS APIs.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"samlAwareServletUrl" : {
"title" : "SAML Web Profile/Artifact Service URL",
"description" : "Specifies the SAML v1 endpoint.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"samlPostServletUrl" : {
"title" : "SAML Web Profile/POST Service URL",
"description" : "Specifies the SAML v1 Web Profile endpoint.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"samlAssertionManagerUrl" : {
"title" : "SAML Assertion Manager Service URL",
"description" : "Specifies the SAML v1 assertion service endpoint.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"sessionUrl" : {
"title" : "Session Service URL",
"description" : "Specifies the endpoint used by the session service.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"policyUrl" : {
"title" : "Policy Service URL",
"description" : "Specifies the endpoint used by the policy service.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"loggingUrl" : {
"title" : "Logging Service URL",
"description" : "Specifies the endpoint used by the logging service.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"profileUrl" : {
"title" : "Profile Service URL",
"description" : "Specifies the endpoint used by the profile service.<p><p>This attribute is deprecated.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authUrl" : {
"title" : "Authentication Service URL",
"description" : "Specifies the endpoint used by the authentication service.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"endpointConfig" : {
"type" : "object",
"title" : "Endpoint Configuration",
"propertyOrder" : 2,
"properties" : {
"securityTokenManagerUrl" : {
"title" : "Security Token Manager URL",
"description" : "Specifies the security token manager endpoint.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"federationAssertionManagerUrl" : {
"title" : "Federation Assertion Manager Service URL",
"description" : "Specifies the ID-FF assertion manager endpoint.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"jaxwsUrl" : {
"title" : "Identity Web Services Endpoint URL",
"description" : "Specifies the endpoint for the Identity WSDL services.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"stsMexUrl" : {
"title" : "Security Token Service MEX Endpoint URL",
"description" : "Specifies the STS MEX endpoint.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"stsUrl" : {
"title" : "Security Token Service Endpoint URL",
"description" : "Specifies the STS endpoint.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"idsvcsRestUrl" : {
"title" : "Identity REST Services Endpoint URL",
"description" : "Specifies the endpoint for the Identity REST services.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/oauth-oidc
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"blacklistCacheSize" : {
"title" : "Token Blacklist Cache Size",
"description" : "Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.",
"propertyOrder" : 0,
"required" : true,
"type" : "integer"
},
"statelessGrantTokenUpgradeCompatibilityMode" : {
"title" : "Stateless Grant Token Upgrade Compatibility Mode",
"description" : "Enable OpenAM to consume and create stateless OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume stateless OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.",
"propertyOrder" : 5,
"required" : true,
"type" : "boolean"
},
"blacklistPurgeDelay" : {
"title" : "Blacklist Purge Delay (minutes)",
"description" : "Length of time to blacklist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the blacklist.",
"propertyOrder" : 2,
"required" : true,
"type" : "integer"
},
"blacklistPollInterval" : {
"title" : "Blacklist Poll Interval (seconds)",
"description" : "How frequently to poll for token blacklist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token blacklist changes from other servers. This is used to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.",
"propertyOrder" : 1,
"required" : true,
"type" : "integer"
},
"agentIdTokenSigningKeyAlias" : {
"title" : "ID Token Signing Key Alias for Agent Clients",
"description" : "The alias for the RSA key that should be used signing ID tokens for Agent OAuth2 Clients",
"propertyOrder" : 4,
"required" : true,
"type" : "string"
},
"idTokenAuthenticitySecret" : {
"title" : "Authenticity Secret",
"description" : "A secret to use when signing data that will be sent back to AM so that authenticity can be assured when they are presented back to OpenAM.",
"propertyOrder" : 3,
"required" : true,
"type" : "string",
"format" : "password"
},
"defaults" : {
"properties" : {
"advancedOAuth2Config" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"tokenSigningAlgorithm" : {
"title" : "OAuth2 Token Signing Algorithm",
"description" : "Algorithm used to sign stateless OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 220,
"required" : true,
"type" : "string"
},
"tokenEncryptionKeyAlias" : {
"title" : "Token Encryption Secret Key Alias",
"description" : "The secret key used for encryption.<br><br>The secret key will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 243,
"required" : false,
"type" : "string"
},
"hashSalt" : {
"title" : "Subject Identifier Hash Salt",
"description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
"propertyOrder" : 260,
"required" : false,
"type" : "string",
"exampleValue" : "changeme"
},
"authenticationAttributes" : {
"title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
"description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedSubjectTypes" : {
"title" : "Subject Types supported",
"description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
"propertyOrder" : 150,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScopes" : {
"title" : "Default Client Scopes",
"description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"responseTypeClasses" : {
"title" : "Response Type Plugins",
"description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
"propertyOrder" : 90,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEncryptionEnabled" : {
"title" : "Enable Stateless Token Encryption",
"description" : "Whether stateless access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
"propertyOrder" : 242,
"required" : true,
"type" : "boolean"
},
"createdTimestampAttribute" : {
"title" : "Created Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return created timestamp values.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"supportedScopes" : {
"title" : "Supported Scopes",
"description" : "The set of supported scopes, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
"propertyOrder" : 130,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"modifiedTimestampAttribute" : {
"title" : "Modified Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return modified timestamp values.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"tokenSigningHmacSharedSecret" : {
"title" : "Token Signing HMAC Shared Secret",
"description" : "Base64-encoded key used by HS256, HS384 and HS512.",
"propertyOrder" : 230,
"required" : true,
"type" : "string",
"format" : "password"
},
"customLoginUrlTemplate" : {
"title" : "Custom Login URL Template",
"description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
"propertyOrder" : 60,
"required" : false,
"type" : "string"
},
"moduleMessageEnabledInPasswordGrant" : {
"title" : "Enable Auth Module Messages for Password Credentials Grant",
"description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
"propertyOrder" : 440,
"required" : true,
"type" : "boolean"
},
"tokenCompressionEnabled" : {
"title" : "Stateless Token Compression",
"description" : "Whether stateless access and refresh tokens should be compressed.",
"propertyOrder" : 223,
"required" : true,
"type" : "boolean"
},
"codeVerifierEnforced" : {
"title" : "Code Verifier Parameter Required",
"description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-spop-12\">draft specification for this feature</a>.",
"propertyOrder" : 270,
"required" : true,
"type" : "boolean"
},
"displayNameAttribute" : {
"title" : "User Display Name attribute",
"description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
"propertyOrder" : 120,
"required" : true,
"type" : "string"
},
"keypairName" : {
"title" : "Token Signing RSA Public/Private Key Pair",
"description" : "The public/private key pair used by RS256.<br><br>The public/private key pair will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 240,
"required" : true,
"type" : "string"
},
"scopeImplementationClass" : {
"title" : "Scope Implementation Class",
"description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
"propertyOrder" : 70,
"required" : true,
"type" : "string"
},
"tokenSigningECDSAKeyAlias" : {
"title" : "Token Signing ECDSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). Add an entry to specify an alias for a specific elliptic curve algorithm, for example <code>ES256|es256Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 241,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"clientDynamicRegistrationConfig" : {
"type" : "object",
"title" : "Client Dynamic Registration",
"propertyOrder" : 2,
"properties" : {
"dynamicClientRegistrationScope" : {
"title" : "Scope to give access to dynamic client registration",
"description" : "Mandatory scope required when registering a new OAuth2 client.",
"propertyOrder" : 455,
"required" : true,
"type" : "string"
},
"dynamicClientRegistrationSoftwareStatementRequired" : {
"title" : "Require Software Statement for Dynamic Client Registration",
"description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
"propertyOrder" : 271,
"required" : true,
"type" : "boolean"
},
"generateRegistrationAccessTokens" : {
"title" : "Generate Registration Access Tokens",
"description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
"propertyOrder" : 290,
"required" : true,
"type" : "boolean"
},
"requiredSoftwareStatementAttestedAttributes" : {
"title" : "Required Software Statement Attested Attributes",
"description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
"propertyOrder" : 272,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"allowDynamicRegistration" : {
"title" : "Allow Open Dynamic Client Registration",
"description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
"propertyOrder" : 280,
"required" : true,
"type" : "boolean"
}
}
},
"deviceCodeConfig" : {
"type" : "object",
"title" : "Device Flow",
"propertyOrder" : 5,
"properties" : {
"verificationUrl" : {
"title" : "Verification URL",
"description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
},
"completionUrl" : {
"title" : "Device Completion URL",
"description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 380,
"required" : false,
"type" : "string"
},
"deviceCodeLifetime" : {
"title" : "Device Code Lifetime (seconds)",
"description" : "The lifetime of the device code, in seconds.",
"propertyOrder" : 390,
"required" : true,
"type" : "integer"
},
"devicePollInterval" : {
"title" : "Device Polling Interval",
"description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"consent" : {
"type" : "object",
"title" : "Consent",
"propertyOrder" : 6,
"properties" : {
"savedConsentAttribute" : {
"title" : "Saved Consent Attribute Name",
"description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
"propertyOrder" : 110,
"required" : false,
"type" : "string"
},
"clientsCanSkipConsent" : {
"title" : "Allow Clients to Skip Consent",
"description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
"propertyOrder" : 420,
"required" : true,
"type" : "boolean"
},
"supportedRcsResponseEncryptionAlgorithms" : {
"title" : "Remote Consent Service Response Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 453,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteConsentServiceId" : {
"title" : "Remote Consent Service ID",
"description" : "The ID of an existing remote consent service agent.",
"propertyOrder" : 448,
"required" : false,
"type" : "string"
},
"supportedRcsRequestEncryptionAlgorithms" : {
"title" : "Remote Consent Service Request Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 450,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsResponseEncryptionMethods" : {
"title" : "Remote Consent Service Response Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 454,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRemoteConsent" : {
"title" : "Enable Remote Consent",
"propertyOrder" : 447,
"required" : true,
"type" : "boolean"
},
"supportedRcsRequestEncryptionMethods" : {
"title" : "Remote Consent Service Request Encryption Methods Supported",
"description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 451,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestSigningAlgorithms" : {
"title" : "Remote Consent Service Request Signing Algorithms Supported",
"description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 449,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsResponseSigningAlgorithms" : {
"title" : "Remote Consent Service Response Signing Algorithms Supported",
"description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 452,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedOIDCConfig" : {
"type" : "object",
"title" : "Advanced OpenID Connect",
"propertyOrder" : 4,
"properties" : {
"loaMapping" : {
"title" : "OpenID Connect acr_values to Auth Chain Mapping",
"description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
"propertyOrder" : 310,
"required" : false,
"type" : "object"
},
"supportedRequestParameterSigningAlgorithms" : {
"title" : "Request Parameter Signing Algorithms Supported",
"description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 442,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorisedOpenIdConnectSSOClients" : {
"title" : "Authorized OIDC SSO Clients",
"description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
"propertyOrder" : 446,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amrMappings" : {
"title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
"description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
"propertyOrder" : 330,
"required" : false,
"type" : "object"
},
"jkwsURI" : {
"title" : "Remote JSON Web Key URL",
"description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
"propertyOrder" : 140,
"required" : false,
"type" : "string"
},
"idTokenInfoClientAuthenticationEnabled" : {
"title" : "Idtokeninfo Endpoint Requires Client Authentication",
"description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 225,
"required" : true,
"type" : "boolean"
},
"alwaysAddClaimsToToken" : {
"title" : "Always Return Claims in ID Tokens",
"description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
"propertyOrder" : 360,
"required" : true,
"type" : "boolean"
},
"requireRequestUriRegistration" : {
"title" : "Require Pre-registered request_uri Values",
"description" : "When enabled, any <code>request_uri</code> values used must be pre-registered using the <code>request_uris</code> registration parameter.",
"propertyOrder" : 445,
"required" : true,
"type" : "boolean"
},
"storeOpsTokens" : {
"title" : "Store Ops Tokens",
"description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.",
"propertyOrder" : 410,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionEnc" : {
"title" : "Request Parameter Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 444,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"claimsParameterSupported" : {
"title" : "Enable \"claims_parameter_supported\"",
"description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
"propertyOrder" : 250,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionAlgorithms" : {
"title" : "Request Parameter Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 443,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultACR" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreOAuth2Config" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time an access token is valid for, in seconds.",
"propertyOrder" : 30,
"required" : true,
"type" : "integer"
},
"issueRefreshTokenOnRefreshedToken" : {
"title" : "Issue Refresh Tokens on Refreshing Access Tokens",
"description" : "Whether to issue a refresh token when refreshing an access token.",
"propertyOrder" : 50,
"required" : true,
"type" : "boolean"
},
"issueRefreshToken" : {
"title" : "Issue Refresh Tokens",
"description" : "Whether to issue a refresh token when returning an access token.",
"propertyOrder" : 40,
"required" : true,
"type" : "boolean"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the token will never expire.",
"propertyOrder" : 20,
"required" : true,
"type" : "integer"
},
"usePolicyEngineForScope" : {
"title" : "Use Policy Engine for Scope decisions",
"description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
"propertyOrder" : 55,
"required" : true,
"type" : "boolean"
},
"statelessTokensEnabled" : {
"title" : "Use Stateless Access & Refresh Tokens",
"description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
"propertyOrder" : 3,
"required" : true,
"type" : "boolean"
},
"codeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time an authorization code is valid for, in seconds.",
"propertyOrder" : 10,
"required" : true,
"type" : "integer"
}
}
},
"coreOIDCConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 3,
"properties" : {
"tokenEncryptionSigningKeyAlias" : {
"title" : "Token Encryption RSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the RSA algorithms (RSA1_5/RSA-OAEP/RSA-OAEP-256). Add an entry to specify an alias for a specific RSA algorithm, for example <code>RSA1_5|rsa1_5Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 441,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionMethods" : {
"title" : "ID Token Encryption Methods supported",
"description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 180,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedClaims" : {
"title" : "Supported Claims",
"description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
"propertyOrder" : 190,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The amount of time the JWT will be valid for, in seconds.",
"propertyOrder" : 210,
"required" : true,
"type" : "integer"
},
"oidcClaimsScript" : {
"title" : "OIDC Claims Script",
"description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
"propertyOrder" : 80,
"required" : true,
"type" : "string"
},
"supportedIDTokenSigningAlgorithms" : {
"title" : "ID Token Signing Algorithms supported",
"description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 160,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionAlgorithms" : {
"title" : "ID Token Encryption Algorithms supported",
"description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 170,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"blacklistCacheSize" : {
"title" : "Token Blacklist Cache Size",
"description" : "Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.",
"propertyOrder" : 0,
"required" : true,
"type" : "integer"
},
"statelessGrantTokenUpgradeCompatibilityMode" : {
"title" : "Stateless Grant Token Upgrade Compatibility Mode",
"description" : "Enable OpenAM to consume and create stateless OAuth 2.0 tokens in two different formats simultaneously.<br><br>Enable this option when upgrading OpenAM to allow the new instance to create and consume stateless OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all OpenAM instances in the cluster have been upgraded.",
"propertyOrder" : 5,
"required" : true,
"type" : "boolean"
},
"blacklistPurgeDelay" : {
"title" : "Blacklist Purge Delay (minutes)",
"description" : "Length of time to blacklist tokens beyond their expiry time.<br><br>Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the blacklist.",
"propertyOrder" : 2,
"required" : true,
"type" : "integer"
},
"blacklistPollInterval" : {
"title" : "Blacklist Poll Interval (seconds)",
"description" : "How frequently to poll for token blacklist changes from other servers, in seconds.<br><br>How often each server will poll the CTS for token blacklist changes from other servers. This is used to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.",
"propertyOrder" : 1,
"required" : true,
"type" : "integer"
},
"agentIdTokenSigningKeyAlias" : {
"title" : "ID Token Signing Key Alias for Agent Clients",
"description" : "The alias for the RSA key that should be used signing ID tokens for Agent OAuth2 Clients",
"propertyOrder" : 4,
"required" : true,
"type" : "string"
},
"idTokenAuthenticitySecret" : {
"title" : "Authenticity Secret",
"description" : "A secret to use when signing data that will be sent back to AM so that authenticity can be assured when they are presented back to OpenAM.",
"propertyOrder" : 3,
"required" : true,
"type" : "string",
"format" : "password"
},
"defaults" : {
"properties" : {
"advancedOAuth2Config" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"tokenSigningAlgorithm" : {
"title" : "OAuth2 Token Signing Algorithm",
"description" : "Algorithm used to sign stateless OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 220,
"required" : true,
"type" : "string"
},
"tokenEncryptionKeyAlias" : {
"title" : "Token Encryption Secret Key Alias",
"description" : "The secret key used for encryption.<br><br>The secret key will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 243,
"required" : false,
"type" : "string"
},
"hashSalt" : {
"title" : "Subject Identifier Hash Salt",
"description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
"propertyOrder" : 260,
"required" : false,
"type" : "string",
"exampleValue" : "changeme"
},
"authenticationAttributes" : {
"title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
"description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedSubjectTypes" : {
"title" : "Subject Types supported",
"description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
"propertyOrder" : 150,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScopes" : {
"title" : "Default Client Scopes",
"description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"responseTypeClasses" : {
"title" : "Response Type Plugins",
"description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
"propertyOrder" : 90,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEncryptionEnabled" : {
"title" : "Enable Stateless Token Encryption",
"description" : "Whether stateless access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
"propertyOrder" : 242,
"required" : true,
"type" : "boolean"
},
"createdTimestampAttribute" : {
"title" : "Created Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return created timestamp values.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"supportedScopes" : {
"title" : "Supported Scopes",
"description" : "The set of supported scopes, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
"propertyOrder" : 130,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"modifiedTimestampAttribute" : {
"title" : "Modified Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return modified timestamp values.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"tokenSigningHmacSharedSecret" : {
"title" : "Token Signing HMAC Shared Secret",
"description" : "Base64-encoded key used by HS256, HS384 and HS512.",
"propertyOrder" : 230,
"required" : true,
"type" : "string",
"format" : "password"
},
"customLoginUrlTemplate" : {
"title" : "Custom Login URL Template",
"description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
"propertyOrder" : 60,
"required" : false,
"type" : "string"
},
"moduleMessageEnabledInPasswordGrant" : {
"title" : "Enable Auth Module Messages for Password Credentials Grant",
"description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
"propertyOrder" : 440,
"required" : true,
"type" : "boolean"
},
"tokenCompressionEnabled" : {
"title" : "Stateless Token Compression",
"description" : "Whether stateless access and refresh tokens should be compressed.",
"propertyOrder" : 223,
"required" : true,
"type" : "boolean"
},
"codeVerifierEnforced" : {
"title" : "Code Verifier Parameter Required",
"description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-spop-12\">draft specification for this feature</a>.",
"propertyOrder" : 270,
"required" : true,
"type" : "boolean"
},
"displayNameAttribute" : {
"title" : "User Display Name attribute",
"description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
"propertyOrder" : 120,
"required" : true,
"type" : "string"
},
"keypairName" : {
"title" : "Token Signing RSA Public/Private Key Pair",
"description" : "The public/private key pair used by RS256.<br><br>The public/private key pair will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 240,
"required" : true,
"type" : "string"
},
"scopeImplementationClass" : {
"title" : "Scope Implementation Class",
"description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
"propertyOrder" : 70,
"required" : true,
"type" : "string"
},
"tokenSigningECDSAKeyAlias" : {
"title" : "Token Signing ECDSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). Add an entry to specify an alias for a specific elliptic curve algorithm, for example <code>ES256|es256Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 241,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"clientDynamicRegistrationConfig" : {
"type" : "object",
"title" : "Client Dynamic Registration",
"propertyOrder" : 2,
"properties" : {
"dynamicClientRegistrationScope" : {
"title" : "Scope to give access to dynamic client registration",
"description" : "Mandatory scope required when registering a new OAuth2 client.",
"propertyOrder" : 455,
"required" : true,
"type" : "string"
},
"dynamicClientRegistrationSoftwareStatementRequired" : {
"title" : "Require Software Statement for Dynamic Client Registration",
"description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
"propertyOrder" : 271,
"required" : true,
"type" : "boolean"
},
"generateRegistrationAccessTokens" : {
"title" : "Generate Registration Access Tokens",
"description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
"propertyOrder" : 290,
"required" : true,
"type" : "boolean"
},
"requiredSoftwareStatementAttestedAttributes" : {
"title" : "Required Software Statement Attested Attributes",
"description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
"propertyOrder" : 272,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"allowDynamicRegistration" : {
"title" : "Allow Open Dynamic Client Registration",
"description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
"propertyOrder" : 280,
"required" : true,
"type" : "boolean"
}
}
},
"deviceCodeConfig" : {
"type" : "object",
"title" : "Device Flow",
"propertyOrder" : 5,
"properties" : {
"verificationUrl" : {
"title" : "Verification URL",
"description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
},
"completionUrl" : {
"title" : "Device Completion URL",
"description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 380,
"required" : false,
"type" : "string"
},
"deviceCodeLifetime" : {
"title" : "Device Code Lifetime (seconds)",
"description" : "The lifetime of the device code, in seconds.",
"propertyOrder" : 390,
"required" : true,
"type" : "integer"
},
"devicePollInterval" : {
"title" : "Device Polling Interval",
"description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"consent" : {
"type" : "object",
"title" : "Consent",
"propertyOrder" : 6,
"properties" : {
"savedConsentAttribute" : {
"title" : "Saved Consent Attribute Name",
"description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
"propertyOrder" : 110,
"required" : false,
"type" : "string"
},
"clientsCanSkipConsent" : {
"title" : "Allow Clients to Skip Consent",
"description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
"propertyOrder" : 420,
"required" : true,
"type" : "boolean"
},
"supportedRcsResponseEncryptionAlgorithms" : {
"title" : "Remote Consent Service Response Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 453,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteConsentServiceId" : {
"title" : "Remote Consent Service ID",
"description" : "The ID of an existing remote consent service agent.",
"propertyOrder" : 448,
"required" : false,
"type" : "string"
},
"supportedRcsRequestEncryptionAlgorithms" : {
"title" : "Remote Consent Service Request Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 450,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsResponseEncryptionMethods" : {
"title" : "Remote Consent Service Response Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 454,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRemoteConsent" : {
"title" : "Enable Remote Consent",
"propertyOrder" : 447,
"required" : true,
"type" : "boolean"
},
"supportedRcsRequestEncryptionMethods" : {
"title" : "Remote Consent Service Request Encryption Methods Supported",
"description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 451,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestSigningAlgorithms" : {
"title" : "Remote Consent Service Request Signing Algorithms Supported",
"description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 449,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsResponseSigningAlgorithms" : {
"title" : "Remote Consent Service Response Signing Algorithms Supported",
"description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 452,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedOIDCConfig" : {
"type" : "object",
"title" : "Advanced OpenID Connect",
"propertyOrder" : 4,
"properties" : {
"loaMapping" : {
"title" : "OpenID Connect acr_values to Auth Chain Mapping",
"description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
"propertyOrder" : 310,
"required" : false,
"type" : "object"
},
"supportedRequestParameterSigningAlgorithms" : {
"title" : "Request Parameter Signing Algorithms Supported",
"description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 442,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorisedOpenIdConnectSSOClients" : {
"title" : "Authorized OIDC SSO Clients",
"description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
"propertyOrder" : 446,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amrMappings" : {
"title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
"description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
"propertyOrder" : 330,
"required" : false,
"type" : "object"
},
"jkwsURI" : {
"title" : "Remote JSON Web Key URL",
"description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
"propertyOrder" : 140,
"required" : false,
"type" : "string"
},
"idTokenInfoClientAuthenticationEnabled" : {
"title" : "Idtokeninfo Endpoint Requires Client Authentication",
"description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 225,
"required" : true,
"type" : "boolean"
},
"alwaysAddClaimsToToken" : {
"title" : "Always Return Claims in ID Tokens",
"description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
"propertyOrder" : 360,
"required" : true,
"type" : "boolean"
},
"requireRequestUriRegistration" : {
"title" : "Require Pre-registered request_uri Values",
"description" : "When enabled, any <code>request_uri</code> values used must be pre-registered using the <code>request_uris</code> registration parameter.",
"propertyOrder" : 445,
"required" : true,
"type" : "boolean"
},
"storeOpsTokens" : {
"title" : "Store Ops Tokens",
"description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.",
"propertyOrder" : 410,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionEnc" : {
"title" : "Request Parameter Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 444,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"claimsParameterSupported" : {
"title" : "Enable \"claims_parameter_supported\"",
"description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
"propertyOrder" : 250,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionAlgorithms" : {
"title" : "Request Parameter Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 443,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultACR" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreOAuth2Config" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time an access token is valid for, in seconds.",
"propertyOrder" : 30,
"required" : true,
"type" : "integer"
},
"issueRefreshTokenOnRefreshedToken" : {
"title" : "Issue Refresh Tokens on Refreshing Access Tokens",
"description" : "Whether to issue a refresh token when refreshing an access token.",
"propertyOrder" : 50,
"required" : true,
"type" : "boolean"
},
"issueRefreshToken" : {
"title" : "Issue Refresh Tokens",
"description" : "Whether to issue a refresh token when returning an access token.",
"propertyOrder" : 40,
"required" : true,
"type" : "boolean"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the token will never expire.",
"propertyOrder" : 20,
"required" : true,
"type" : "integer"
},
"usePolicyEngineForScope" : {
"title" : "Use Policy Engine for Scope decisions",
"description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
"propertyOrder" : 55,
"required" : true,
"type" : "boolean"
},
"statelessTokensEnabled" : {
"title" : "Use Stateless Access & Refresh Tokens",
"description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
"propertyOrder" : 3,
"required" : true,
"type" : "boolean"
},
"codeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time an authorization code is valid for, in seconds.",
"propertyOrder" : 10,
"required" : true,
"type" : "integer"
}
}
},
"coreOIDCConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 3,
"properties" : {
"tokenEncryptionSigningKeyAlias" : {
"title" : "Token Encryption RSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the RSA algorithms (RSA1_5/RSA-OAEP/RSA-OAEP-256). Add an entry to specify an alias for a specific RSA algorithm, for example <code>RSA1_5|rsa1_5Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 441,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionMethods" : {
"title" : "ID Token Encryption Methods supported",
"description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 180,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedClaims" : {
"title" : "Supported Claims",
"description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
"propertyOrder" : 190,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The amount of time the JWT will be valid for, in seconds.",
"propertyOrder" : 210,
"required" : true,
"type" : "integer"
},
"oidcClaimsScript" : {
"title" : "OIDC Claims Script",
"description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
"propertyOrder" : 80,
"required" : true,
"type" : "string"
},
"supportedIDTokenSigningAlgorithms" : {
"title" : "ID Token Signing Algorithms supported",
"description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 160,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionAlgorithms" : {
"title" : "ID Token Encryption Algorithms supported",
"description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 170,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/platform
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cookieDomains" : {
"title" : "Cookie Domains",
"description" : "Set the list of domains into which OpenAM writes cookies.<br><br>If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. If this property is left blank, then the fully qualified domain name of the server is used to set the cookie domain, meaning that a host cookie rather than a domain cookie is set.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"locale" : {
"title" : "Platform Locale",
"description" : "Set the fallback locale used when the user locale cannot be determined.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cookieDomains" : {
"title" : "Cookie Domains",
"description" : "Set the list of domains into which OpenAM writes cookies.<br><br>If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. If this property is left blank, then the fully qualified domain name of the server is used to set the cookie domain, meaning that a host cookie rather than a domain cookie is set.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"locale" : {
"title" : "Platform Locale",
"description" : "Set the fallback locale used when the user locale cannot be determined.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/policyconfiguration
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"resourceComparators" : {
"title" : "Resource Comparator",
"description" : "OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with <code>|</code> characters.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continueEvaluationOnDeny" : {
"title" : "Continue Evaluation on Deny Decision",
"description" : "If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"realmAliasReferrals" : {
"title" : "Realm Alias Referrals",
"description" : "If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"defaults" : {
"properties" : {
"usersBaseDn" : {
"title" : "LDAP Users Base DN",
"description" : "Base DN for LDAP Users subject searches.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"maximumSearchResults" : {
"title" : "Maximum Results Returned from Search",
"description" : "Search limit for LDAP searches.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"usersSearchAttribute" : {
"title" : "LDAP Users Search Attribute",
"description" : "Naming attribute for user entries.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"userAliasEnabled" : {
"title" : "User Alias",
"description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"bindPassword" : {
"title" : "LDAP Bind Password",
"description" : "Bind password to connect to the directory server for policy information.",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"format" : "password"
},
"usersSearchFilter" : {
"title" : "LDAP Users Search Filter",
"description" : "Search filter to match user entries.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"searchTimeout" : {
"title" : "Search Timeout",
"description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"bindDn" : {
"title" : "LDAP Bind DN",
"description" : "Bind DN to connect to the directory server for policy information.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"connectionPoolMinimumSize" : {
"title" : "LDAP Connection Pool Minimum Size",
"description" : "Minimum number of connections in the pool.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"policyHeartbeatTimeUnit" : {
"title" : "Heartbeat Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1850,
"required" : true,
"type" : "string"
},
"ldapServer" : {
"title" : "Primary LDAP Server",
"description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sslEnabled" : {
"title" : "LDAP SSL/TLS",
"description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"policyHeartbeatInterval" : {
"title" : "Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1840,
"required" : true,
"type" : "integer"
},
"subjectsResultTTL" : {
"title" : "Subjects Result Time to Live",
"description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"realmSearchFilter" : {
"title" : "LDAP Organization Search Filter",
"description" : "Search filter to match organization entries.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"usersSearchScope" : {
"title" : "LDAP Users Search Scope",
"description" : "Search scope to find user entries.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"connectionPoolMaximumSize" : {
"title" : "LDAP Connection Pool Maximum Size",
"description" : "Maximum number of connections in the pool.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"resourceComparators" : {
"title" : "Resource Comparator",
"description" : "OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with <code>|</code> characters.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continueEvaluationOnDeny" : {
"title" : "Continue Evaluation on Deny Decision",
"description" : "If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"realmAliasReferrals" : {
"title" : "Realm Alias Referrals",
"description" : "If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"defaults" : {
"properties" : {
"usersBaseDn" : {
"title" : "LDAP Users Base DN",
"description" : "Base DN for LDAP Users subject searches.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"maximumSearchResults" : {
"title" : "Maximum Results Returned from Search",
"description" : "Search limit for LDAP searches.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"usersSearchAttribute" : {
"title" : "LDAP Users Search Attribute",
"description" : "Naming attribute for user entries.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"userAliasEnabled" : {
"title" : "User Alias",
"description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"bindPassword" : {
"title" : "LDAP Bind Password",
"description" : "Bind password to connect to the directory server for policy information.",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"format" : "password"
},
"usersSearchFilter" : {
"title" : "LDAP Users Search Filter",
"description" : "Search filter to match user entries.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"searchTimeout" : {
"title" : "Search Timeout",
"description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"bindDn" : {
"title" : "LDAP Bind DN",
"description" : "Bind DN to connect to the directory server for policy information.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"connectionPoolMinimumSize" : {
"title" : "LDAP Connection Pool Minimum Size",
"description" : "Minimum number of connections in the pool.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"policyHeartbeatTimeUnit" : {
"title" : "Heartbeat Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1850,
"required" : true,
"type" : "string"
},
"ldapServer" : {
"title" : "Primary LDAP Server",
"description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sslEnabled" : {
"title" : "LDAP SSL/TLS",
"description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"policyHeartbeatInterval" : {
"title" : "Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1840,
"required" : true,
"type" : "integer"
},
"subjectsResultTTL" : {
"title" : "Subjects Result Time to Live",
"description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"realmSearchFilter" : {
"title" : "LDAP Organization Search Filter",
"description" : "Search filter to match organization entries.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"usersSearchScope" : {
"title" : "LDAP Users Search Scope",
"description" : "Search scope to find user entries.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"connectionPoolMaximumSize" : {
"title" : "LDAP Connection Pool Maximum Size",
"description" : "Maximum number of connections in the pool.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/pushNotification
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"googleEndpoint" : {
"title" : "SNS Endpoint for GCM",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/GCM/production"
},
"mdConcurrency" : {
"title" : "Response Cache Concurrency",
"description" : "Level of concurrency to use when accessing the message dispatcher cache. Defaults to <code>16</code>, and must be greater than <code>0</code>. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"appleEndpoint" : {
"title" : "SNS Endpoint for APNS",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/APNS/production"
},
"secret" : {
"title" : "SNS Access Key Secret",
"description" : "Amazon Simple Notification Service Access Key Secret. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
},
"delegateFactory" : {
"title" : "Message Transport Delegate Factory",
"description" : "The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement <code>org.forgerock.openam.services.push.PushNotificationDelegate</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"mdDuration" : {
"title" : "Response Cache Duration",
"description" : "The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to <code>0</code>.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"region" : {
"title" : "SNS Client Region",
"description" : "Region of your registered Amazon Simple Notification Service client. For more information, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/rande.html\">https://docs.aws.amazon.com/general/latest/gr/rande.html</a>.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"mdCacheSize" : {
"title" : "Response Cache Size",
"description" : "Maximum size of the message dispatcher cache, in number of records. If set to <code>0</code> the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"accessKey" : {
"title" : "SNS Access Key ID",
"description" : "Amazon Simple Notification Service Access Key ID. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "AKIAIOSFODNN7EXAMPLE"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"googleEndpoint" : {
"title" : "SNS Endpoint for GCM",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/GCM/production"
},
"mdConcurrency" : {
"title" : "Response Cache Concurrency",
"description" : "Level of concurrency to use when accessing the message dispatcher cache. Defaults to <code>16</code>, and must be greater than <code>0</code>. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"appleEndpoint" : {
"title" : "SNS Endpoint for APNS",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/APNS/production"
},
"secret" : {
"title" : "SNS Access Key Secret",
"description" : "Amazon Simple Notification Service Access Key Secret. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
},
"delegateFactory" : {
"title" : "Message Transport Delegate Factory",
"description" : "The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement <code>org.forgerock.openam.services.push.PushNotificationDelegate</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"mdDuration" : {
"title" : "Response Cache Duration",
"description" : "The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to <code>0</code>.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"region" : {
"title" : "SNS Client Region",
"description" : "Region of your registered Amazon Simple Notification Service client. For more information, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/rande.html\">https://docs.aws.amazon.com/general/latest/gr/rande.html</a>.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"mdCacheSize" : {
"title" : "Response Cache Size",
"description" : "Maximum size of the message dispatcher cache, in number of records. If set to <code>0</code> the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"accessKey" : {
"title" : "SNS Access Key ID",
"description" : "Amazon Simple Notification Service Access Key ID. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "AKIAIOSFODNN7EXAMPLE"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/rest
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"warningHeader" : {
"title" : "Warning Header",
"description" : "Whether to include a warning header in the response to a request which fails to include the <code>Accept-API-Version</code> header.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"defaultVersion" : {
"title" : "Default Resource Version",
"description" : "The API resource version to use when the REST request does not specify an explicit version. Choose from:<br><br><ul><li><code>Latest</code>. If an explicit version is not specified, the latest resource version of an API is used.</li><li><code>Oldest</code>. If an explicit version is not specified, the oldest supported resource version of an API is used. Note that since APIs may be deprecated and fall out of support, the oldest <i>supported</i> version may not be the first version.</li><li><code>None</code>. If an explicit version is not specified, the request will not be handled and an error status is returned.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"csrfFilterEnabled" : {
"title" : "Enable CSRF Protection",
"description" : "If enabled, all non-read/query requests will require the X-Requested-With header to be present.<br><br>Requiring a non-standard header ensures requests can only be made via methods (XHR) that have stricter same-origin policy protections in Web browsers, preventing Cross-Site Request Forgery (CSRF) attacks. Without this filter, cross-origin requests are prevented by the use of the application/json Content-Type header, which is less robust.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"defaultProtocolVersion" : {
"title" : "Default Protocol Version",
"description" : "The API protocol version to use when a REST request does not specify an explicit version. Choose from:<br><br><ul><li><code>Oldest</code>. If an explicit version is not specified, the oldest protocol version is used.</li><li><code>Latest</code>. If an explicit version is not specified, the latest protocol version is used.</li><li><code>None</code>. If an explicit version is not specified, the request will not be handled and an error status is returned.</li></ul>",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"descriptionsState" : {
"title" : "API Descriptions",
"description" : "Whether API Explorer and API Docs are enabled in OpenAM and how the documentation for them is generated. Dynamic generation includes descriptions from any custom services and authentication modules you may have added. Static generation only includes services and authentication modules that were present when OpenAM was built. Note that dynamic documentation generation may not work in some application containers.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"warningHeader" : {
"title" : "Warning Header",
"description" : "Whether to include a warning header in the response to a request which fails to include the <code>Accept-API-Version</code> header.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"defaultVersion" : {
"title" : "Default Resource Version",
"description" : "The API resource version to use when the REST request does not specify an explicit version. Choose from:<br><br><ul><li><code>Latest</code>. If an explicit version is not specified, the latest resource version of an API is used.</li><li><code>Oldest</code>. If an explicit version is not specified, the oldest supported resource version of an API is used. Note that since APIs may be deprecated and fall out of support, the oldest <i>supported</i> version may not be the first version.</li><li><code>None</code>. If an explicit version is not specified, the request will not be handled and an error status is returned.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"csrfFilterEnabled" : {
"title" : "Enable CSRF Protection",
"description" : "If enabled, all non-read/query requests will require the X-Requested-With header to be present.<br><br>Requiring a non-standard header ensures requests can only be made via methods (XHR) that have stricter same-origin policy protections in Web browsers, preventing Cross-Site Request Forgery (CSRF) attacks. Without this filter, cross-origin requests are prevented by the use of the application/json Content-Type header, which is less robust.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"defaultProtocolVersion" : {
"title" : "Default Protocol Version",
"description" : "The API protocol version to use when a REST request does not specify an explicit version. Choose from:<br><br><ul><li><code>Oldest</code>. If an explicit version is not specified, the oldest protocol version is used.</li><li><code>Latest</code>. If an explicit version is not specified, the latest protocol version is used.</li><li><code>None</code>. If an explicit version is not specified, the request will not be handled and an error status is returned.</li></ul>",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"descriptionsState" : {
"title" : "API Descriptions",
"description" : "Whether API Explorer and API Docs are enabled in OpenAM and how the documentation for them is generated. Dynamic generation includes descriptions from any custom services and authentication modules you may have added. Static generation only includes services and authentication modules that were present when OpenAM was built. Note that dynamic documentation generation may not work in some application containers.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/saml2
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"nameIDInfoAttribute" : {
"title" : "Attribute name for Name ID information",
"description" : "User entry attribute to store name identifier information.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"bufferLength" : {
"title" : "Buffer length (in bytes) to decompress request",
"description" : "Specify the size of the buffer used for decompressing requests, in bytes.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"idpDiscoveryUrlSchema" : {
"title" : "URL scheme for IdP Discovery Service",
"description" : "Specifies the URL scheme to use.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIDInfoKeyAttribute" : {
"title" : "Attribute name for Name ID information key",
"description" : "User entry attribute to store the name identifier key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"failOverEnabled" : {
"title" : "Enable SAML v2.0 failover",
"description" : "If enabled, OpenAM can failover SAML v2.0 requests to another instance.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"signingCertValidation" : {
"title" : "XML Signing Certificate Validation",
"description" : "If enabled, then validate certificates used to sign documents.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cacheCleanupInterval" : {
"title" : "Cache cleanup interval (in seconds)",
"description" : "Time between cache cleanup operations, in seconds.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"xmlSigningClass" : {
"title" : "XML Signing SPI implementation class",
"description" : "Used by the SAML2 engine to <em>sign</em> documents.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idpDiscoveryCookieDomain" : {
"title" : "Cookie domain for IdP Discovery Service",
"description" : "Specifies the cookie domain for the IDP discovery service.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"caCertValidation" : {
"title" : "CA Certificate Validation",
"description" : "If enabled, then validate CA certificates.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"xmlEncryptionClass" : {
"title" : "XML Encryption SPI implementation class",
"description" : "Used by the SAML2 engine to <em>encrypt</em> and <em>decrypt</em> documents.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"idpDiscoveryCookieType" : {
"title" : "Cookie type for IdP Discovery Service",
"description" : "Specifies the cookie type to use.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"encryptedKeyInKeyInfo" : {
"title" : "Include xenc:EncryptedKey inside ds:KeyInfo Element",
"description" : "Specify whether to include the <code>xenc:EncryptedKey</code> property inside the <code>ds:KeyInfo</code> element.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"defaults" : {
"properties" : {
"metadataSigningKey" : {
"title" : "Metadata signing key alias",
"description" : "Specify the private key alias to be used to sign the given entity's metadata when requesting signed metadata, either by using exportmetadata.jsp or the <code>ssoadm</code> command.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"metadataSigningKeyPass" : {
"title" : "Metadata signing key password",
"description" : "Specify the password used to retrieve the signing key from the keystore.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"nameIDInfoAttribute" : {
"title" : "Attribute name for Name ID information",
"description" : "User entry attribute to store name identifier information.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"bufferLength" : {
"title" : "Buffer length (in bytes) to decompress request",
"description" : "Specify the size of the buffer used for decompressing requests, in bytes.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"idpDiscoveryUrlSchema" : {
"title" : "URL scheme for IdP Discovery Service",
"description" : "Specifies the URL scheme to use.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIDInfoKeyAttribute" : {
"title" : "Attribute name for Name ID information key",
"description" : "User entry attribute to store the name identifier key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"failOverEnabled" : {
"title" : "Enable SAML v2.0 failover",
"description" : "If enabled, OpenAM can failover SAML v2.0 requests to another instance.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"signingCertValidation" : {
"title" : "XML Signing Certificate Validation",
"description" : "If enabled, then validate certificates used to sign documents.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cacheCleanupInterval" : {
"title" : "Cache cleanup interval (in seconds)",
"description" : "Time between cache cleanup operations, in seconds.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"xmlSigningClass" : {
"title" : "XML Signing SPI implementation class",
"description" : "Used by the SAML2 engine to <em>sign</em> documents.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idpDiscoveryCookieDomain" : {
"title" : "Cookie domain for IdP Discovery Service",
"description" : "Specifies the cookie domain for the IDP discovery service.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"caCertValidation" : {
"title" : "CA Certificate Validation",
"description" : "If enabled, then validate CA certificates.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"xmlEncryptionClass" : {
"title" : "XML Encryption SPI implementation class",
"description" : "Used by the SAML2 engine to <em>encrypt</em> and <em>decrypt</em> documents.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"idpDiscoveryCookieType" : {
"title" : "Cookie type for IdP Discovery Service",
"description" : "Specifies the cookie type to use.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"encryptedKeyInKeyInfo" : {
"title" : "Include xenc:EncryptedKey inside ds:KeyInfo Element",
"description" : "Specify whether to include the <code>xenc:EncryptedKey</code> property inside the <code>ds:KeyInfo</code> element.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"defaults" : {
"properties" : {
"metadataSigningKey" : {
"title" : "Metadata signing key alias",
"description" : "Specify the private key alias to be used to sign the given entity's metadata when requesting signed metadata, either by using exportmetadata.jsp or the <code>ssoadm</code> command.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"metadataSigningKeyPass" : {
"title" : "Metadata signing key password",
"description" : "Specify the password used to retrieve the signing key from the keystore.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"format" : "password"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/scripting
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultContext" : {
"title" : "Default Script Type",
"description" : "The default script context type when creating a new script.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultContext" : {
"title" : "Default Script Type",
"description" : "The default script context type when creating a new script.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/scripting/contexts
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"languages" : {
"title" : "Scripting languages",
"description" : "The language the script is written in.<br><br>This is used to determine how to validate the script, as well as which engine to run the script within.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScript" : {
"title" : "Default Script",
"description" : "The source code that is presented as the default when creating a new script of this type.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
/global-config/services/scripting/contexts/{contexts}/engineConfiguration
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"idleTimeout" : {
"title" : "Thread idle timeout (seconds)",
"description" : "Length of time (in seconds) to wait before terminating threads.<br><br>Length of time (in seconds) to wait before terminating threads that were started when the queue reached capacity. Only applies to threads beyond the core pool size (up to the maximum size).",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"useSecurityManager" : {
"title" : "Use system SecurityManager",
"description" : "Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.<br><br>If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no SecurityManager is configured, then this has no effect.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"whiteList" : {
"title" : "Java class whitelist",
"description" : "List of patterns of allowed Java classes that may be loaded/accessed by scripts.<br><br>Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, e.g. <code>java.lang.*</code>",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Server-side Script Timeout",
"description" : "The maximum execution time any individual script should take on the server (in seconds).<br><br>Server-side scripts will be forcibly stopped after this amount of execution time.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"blackList" : {
"title" : "Java class blacklist",
"description" : "List of patterns of Java classes that must not be accessed by a script.<br><br>This blacklist is applied after the whitelist to apply additional restrictions. For instance you may whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer specific whitelists where possible.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"maxThreads" : {
"title" : "Maximum thread pool size",
"description" : "The maximum size of the thread pool from which scripts will operate.<br><br>New threads will be created up to this size once the task queue reaches capacity. Has no effect if the queue is unbounded.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"coreThreads" : {
"title" : "Core thread pool size",
"description" : "The core size of the thread pool from which scripts will operate.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"queueSize" : {
"title" : "Thread pool queue size",
"description" : "Size of queue to use for buffering script execution request when core pool is at capacity.<br><br>Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"idleTimeout" : {
"title" : "Thread idle timeout (seconds)",
"description" : "Length of time (in seconds) to wait before terminating threads.<br><br>Length of time (in seconds) to wait before terminating threads that were started when the queue reached capacity. Only applies to threads beyond the core pool size (up to the maximum size).",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"useSecurityManager" : {
"title" : "Use system SecurityManager",
"description" : "Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.<br><br>If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no SecurityManager is configured, then this has no effect.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"whiteList" : {
"title" : "Java class whitelist",
"description" : "List of patterns of allowed Java classes that may be loaded/accessed by scripts.<br><br>Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, e.g. <code>java.lang.*</code>",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Server-side Script Timeout",
"description" : "The maximum execution time any individual script should take on the server (in seconds).<br><br>Server-side scripts will be forcibly stopped after this amount of execution time.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"blackList" : {
"title" : "Java class blacklist",
"description" : "List of patterns of Java classes that must not be accessed by a script.<br><br>This blacklist is applied after the whitelist to apply additional restrictions. For instance you may whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer specific whitelists where possible.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"maxThreads" : {
"title" : "Maximum thread pool size",
"description" : "The maximum size of the thread pool from which scripts will operate.<br><br>New threads will be created up to this size once the task queue reaches capacity. Has no effect if the queue is unbounded.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"coreThreads" : {
"title" : "Core thread pool size",
"description" : "The core size of the thread pool from which scripts will operate.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"queueSize" : {
"title" : "Thread pool queue size",
"description" : "Size of queue to use for buffering script execution request when core pool is at capacity.<br><br>Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"idleTimeout" : {
"title" : "Thread idle timeout (seconds)",
"description" : "Length of time (in seconds) to wait before terminating threads.<br><br>Length of time (in seconds) to wait before terminating threads that were started when the queue reached capacity. Only applies to threads beyond the core pool size (up to the maximum size).",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"useSecurityManager" : {
"title" : "Use system SecurityManager",
"description" : "Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.<br><br>If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no SecurityManager is configured, then this has no effect.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"whiteList" : {
"title" : "Java class whitelist",
"description" : "List of patterns of allowed Java classes that may be loaded/accessed by scripts.<br><br>Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, e.g. <code>java.lang.*</code>",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Server-side Script Timeout",
"description" : "The maximum execution time any individual script should take on the server (in seconds).<br><br>Server-side scripts will be forcibly stopped after this amount of execution time.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"blackList" : {
"title" : "Java class blacklist",
"description" : "List of patterns of Java classes that must not be accessed by a script.<br><br>This blacklist is applied after the whitelist to apply additional restrictions. For instance you may whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer specific whitelists where possible.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"maxThreads" : {
"title" : "Maximum thread pool size",
"description" : "The maximum size of the thread pool from which scripts will operate.<br><br>New threads will be created up to this size once the task queue reaches capacity. Has no effect if the queue is unbounded.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"coreThreads" : {
"title" : "Core thread pool size",
"description" : "The core size of the thread pool from which scripts will operate.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"queueSize" : {
"title" : "Thread pool queue size",
"description" : "Size of queue to use for buffering script execution request when core pool is at capacity.<br><br>Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"idleTimeout" : {
"title" : "Thread idle timeout (seconds)",
"description" : "Length of time (in seconds) to wait before terminating threads.<br><br>Length of time (in seconds) to wait before terminating threads that were started when the queue reached capacity. Only applies to threads beyond the core pool size (up to the maximum size).",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"useSecurityManager" : {
"title" : "Use system SecurityManager",
"description" : "Indicates whether the system SecurityManager should also be consulted when checking access to Java classes.<br><br>If enabled, then the checkPackageAccess method will be called for each Java class accessed. If no SecurityManager is configured, then this has no effect.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"whiteList" : {
"title" : "Java class whitelist",
"description" : "List of patterns of allowed Java classes that may be loaded/accessed by scripts.<br><br>Each Java class accessed by a script must match at least one of these patterns. Use '*' as a wildcard, e.g. <code>java.lang.*</code>",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Server-side Script Timeout",
"description" : "The maximum execution time any individual script should take on the server (in seconds).<br><br>Server-side scripts will be forcibly stopped after this amount of execution time.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"blackList" : {
"title" : "Java class blacklist",
"description" : "List of patterns of Java classes that must not be accessed by a script.<br><br>This blacklist is applied after the whitelist to apply additional restrictions. For instance you may whitelist java.lang.* and then blacklist java.lang.System and java.lang.Runtime. It is recommended to always prefer specific whitelists where possible.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"maxThreads" : {
"title" : "Maximum thread pool size",
"description" : "The maximum size of the thread pool from which scripts will operate.<br><br>New threads will be created up to this size once the task queue reaches capacity. Has no effect if the queue is unbounded.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"coreThreads" : {
"title" : "Core thread pool size",
"description" : "The core size of the thread pool from which scripts will operate.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"queueSize" : {
"title" : "Thread pool queue size",
"description" : "Size of queue to use for buffering script execution request when core pool is at capacity.<br><br>Use -1 for an unbounded queue (this disables the maximum pool size setting). For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts (e.g., REST calls) consider a larger maximum pool size and a smaller queue. Not hot-swappable: restart server for changes to take effect.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/scripting/contexts/{id}
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"languages" : {
"title" : "Scripting languages",
"description" : "The language the script is written in.<br><br>This is used to determine how to validate the script, as well as which engine to run the script within.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScript" : {
"title" : "Default Script",
"description" : "The source code that is presented as the default when creating a new script of this type.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"languages" : {
"title" : "Scripting languages",
"description" : "The language the script is written in.<br><br>This is used to determine how to validate the script, as well as which engine to run the script within.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScript" : {
"title" : "Default Script",
"description" : "The source code that is presented as the default when creating a new script of this type.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
/global-config/services/scripting/globalScript
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"required" : true,
"type" : "string"
}
}
}
/global-config/services/scripting/globalScript/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"required" : true,
"type" : "string"
}
}
}
/global-config/services/security
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"selfServiceEnabled" : {
"title" : "Legacy Self-Service REST Endpoint",
"description" : "Specify whether to enable the legacy self-service endpoint.<p>OpenAM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13, and a common REST-based/XUI-based User Self-Service available in OpenAM 13 and later.<p>The Legacy User Self-Service will be deprecated in a future release.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"forgotPasswordTokenLifetime" : {
"title" : "Forgot Password Token Lifetime (seconds)",
"description" : "Maximum life time for the token that allows a user to process a forgotten password using the REST API.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"selfRegistrationEnabled" : {
"title" : "Self-Registration for Users",
"description" : "If enabled, new users can sign up using a REST API client.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"selfRegistrationTokenLifetime" : {
"title" : "Self-Registration Token LifeTime (seconds)",
"description" : "Maximum life time for the token allowing User Self-Registration using the REST API.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"selfRegistrationConfirmationUrl" : {
"title" : "Self-Registration Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"forgotPasswordEnabled" : {
"title" : "Forgot Password for Users",
"description" : "If enabled, users can assign themselves a new password using a REST API client.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the behavior when self-registration has successfully completed.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"forgotPasswordConfirmationUrl" : {
"title" : "Forgot Password Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"protectedUserAttributes" : {
"title" : "Protected User Attributes",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"selfServiceEnabled" : {
"title" : "Legacy Self-Service REST Endpoint",
"description" : "Specify whether to enable the legacy self-service endpoint.<p>OpenAM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13, and a common REST-based/XUI-based User Self-Service available in OpenAM 13 and later.<p>The Legacy User Self-Service will be deprecated in a future release.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"forgotPasswordTokenLifetime" : {
"title" : "Forgot Password Token Lifetime (seconds)",
"description" : "Maximum life time for the token that allows a user to process a forgotten password using the REST API.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"selfRegistrationEnabled" : {
"title" : "Self-Registration for Users",
"description" : "If enabled, new users can sign up using a REST API client.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"selfRegistrationTokenLifetime" : {
"title" : "Self-Registration Token LifeTime (seconds)",
"description" : "Maximum life time for the token allowing User Self-Registration using the REST API.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"selfRegistrationConfirmationUrl" : {
"title" : "Self-Registration Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"forgotPasswordEnabled" : {
"title" : "Forgot Password for Users",
"description" : "If enabled, users can assign themselves a new password using a REST API client.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the behavior when self-registration has successfully completed.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"forgotPasswordConfirmationUrl" : {
"title" : "Forgot Password Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"protectedUserAttributes" : {
"title" : "Protected User Attributes",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/selfService
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"forgottenPassword" : {
"type" : "object",
"title" : "Forgotten Password",
"propertyOrder" : 2,
"properties" : {
"forgottenPasswordEnabled" : {
"title" : "Forgotten Password",
"description" : "If enabled, users can reset their forgotten password.",
"propertyOrder" : 170,
"required" : true,
"type" : "boolean"
},
"numberOfAttemptsEnforced" : {
"title" : "Enforce password reset lockout",
"description" : "If enabled, users will be prevented from resetting their password after the configured number of failed attempts.",
"propertyOrder" : 201,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.",
"propertyOrder" : 180,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who reset passwords must perform email address verification.",
"propertyOrder" : 190,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten password reset, in seconds.<p><p>Specify a value from <code>0</code> to <code>2147483647</code>.",
"propertyOrder" : 210,
"required" : false,
"type" : "integer"
},
"forgottenPasswordKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten password process.",
"propertyOrder" : 200,
"required" : false,
"type" : "boolean"
},
"numberOfAllowedAttempts" : {
"title" : "Lock Out After number of attempts",
"description" : "Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.",
"propertyOrder" : 202,
"required" : false,
"type" : "integer"
},
"forgottenPasswordEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the forgotten password email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 230,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the forgotten password email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 220,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userRegistration" : {
"type" : "object",
"title" : "User Registration",
"propertyOrder" : 1,
"properties" : {
"userRegistrationEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the User Self-Registration verification email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 140,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEnabled" : {
"title" : "User Registration",
"description" : "If enabled, new users can sign up for an account.",
"propertyOrder" : 90,
"required" : true,
"type" : "boolean"
},
"userRegistrationEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the User Self-Registration verification email body text. Format is: <code>locale|body text</code>.",
"propertyOrder" : 150,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the action to be taken after a user successfully registers a new account. Choose from:<ul><li><code>default</code>. User is sent to a success page without being logged in.</li><li><code>login</code>. User is sent to the login page to authenticate.</li><li><code>autologin</code>. User is automatically logged in and sent to the appropriate page.</li></ul>",
"propertyOrder" : 161,
"required" : true,
"type" : "string"
},
"userRegistrationEmailVerificationFirstEnabled" : {
"title" : "Verify Email before User Detail",
"description" : "If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must set up their security questions during the self-registration process.",
"propertyOrder" : 120,
"required" : false,
"type" : "boolean"
},
"userRegistrationCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"userRegistrationEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who self-register must perform email address verification.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationValidUserAttributes" : {
"title" : "Valid Creation Attributes",
"description" : "Specifies a whitelist of user attributes that can be set during user creation.",
"propertyOrder" : 160,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime of the token allowing User Self-Registration, in seconds.",
"propertyOrder" : 130,
"required" : false,
"type" : "integer"
}
}
},
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"minimumAnswersToDefine" : {
"title" : "Minimum Answers to Define",
"description" : "Specifies the minimum number of KBA answers that users must define.",
"propertyOrder" : 60,
"required" : false,
"type" : "integer"
},
"signingSecretKeyAlias" : {
"title" : "Signing Secret Key Alias",
"description" : "A signing secret key alias in the OpenAM server's JCEKS keystore. Used to sign the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 10,
"required" : true,
"type" : "string",
"exampleValue" : "selfservicesigntest"
},
"minimumAnswersToVerify" : {
"title" : "Minimum Answers to Verify",
"description" : "Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from <code>0</code> to <code>50</code>.",
"propertyOrder" : 70,
"required" : false,
"type" : "integer"
},
"encryptionKeyPairAlias" : {
"title" : "Encryption Key Pair Alias",
"description" : "An encryption key alias in the OpenAM server's JCEKS keystore. Used to encrypt the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 0,
"required" : true,
"type" : "string",
"exampleValue" : "selfserviceenctest"
},
"captchaSiteKey" : {
"title" : "Google reCAPTCHA Site Key",
"description" : "Google reCAPTCHA plugin site key.",
"propertyOrder" : 20,
"required" : false,
"type" : "string"
},
"captchaVerificationUrl" : {
"title" : "Google Re-captcha Verification URL",
"description" : "Google reCAPTCHA plugin verification URL.",
"propertyOrder" : 40,
"required" : false,
"type" : "string"
},
"validQueryAttributes" : {
"title" : "Valid Query Attributes",
"description" : "Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.",
"propertyOrder" : 80,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"captchaSecretKey" : {
"title" : "Google reCAPTCHA Secret Key",
"description" : "Google reCAPTCHA plugin secret key.",
"propertyOrder" : 30,
"required" : false,
"type" : "string"
},
"kbaQuestions" : {
"title" : "Security Questions",
"description" : "Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.<p><p>Format is <code>unique key|locale|question</code>.",
"propertyOrder" : 50,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"forgottenUsername" : {
"type" : "object",
"title" : "Forgotten Username",
"propertyOrder" : 3,
"properties" : {
"forgottenUsernameEmailUsernameEnabled" : {
"title" : "Email Username",
"description" : "If enabled, users receive their forgotten username by email.",
"propertyOrder" : 270,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameShowUsernameEnabled" : {
"title" : "Show Username",
"description" : "If enabled, users see their forgotten username on the browser page.",
"propertyOrder" : 280,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.",
"propertyOrder" : 250,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEnabled" : {
"title" : "Forgotten Username",
"description" : "If enabled, users can retrieve their forgotten username.",
"propertyOrder" : 240,
"required" : true,
"type" : "boolean"
},
"forgottenUsernameKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten username process.",
"propertyOrder" : 260,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameTokenTTL" : {
"title" : "Token LifeTime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten username, in seconds.",
"propertyOrder" : 290,
"required" : false,
"type" : "integer"
},
"forgottenUsernameEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customizes the forgotten username email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 310,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customizes the forgotten username email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedConfig" : {
"type" : "object",
"title" : "Advanced Configuration",
"propertyOrder" : 5,
"properties" : {
"userRegistrationServiceConfigClass" : {
"title" : "User Registration Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"forgottenUsernameServiceConfigClass" : {
"title" : "Forgotten Username Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
},
"userRegistrationConfirmationUrl" : {
"title" : "User Registration Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives during the self-registration process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 330,
"required" : false,
"type" : "string"
},
"forgottenPasswordConfirmationUrl" : {
"title" : "Forgotten Password Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"forgottenPasswordServiceConfigClass" : {
"title" : "Forgotten Password Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 360,
"required" : false,
"type" : "string"
}
}
},
"profileManagement" : {
"type" : "object",
"title" : "Profile Management",
"propertyOrder" : 4,
"properties" : {
"profileProtectedUserAttributes" : {
"title" : "Protected Update Attributes",
"description" : "Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"forgottenPassword" : {
"type" : "object",
"title" : "Forgotten Password",
"propertyOrder" : 2,
"properties" : {
"forgottenPasswordEnabled" : {
"title" : "Forgotten Password",
"description" : "If enabled, users can reset their forgotten password.",
"propertyOrder" : 170,
"required" : true,
"type" : "boolean"
},
"numberOfAttemptsEnforced" : {
"title" : "Enforce password reset lockout",
"description" : "If enabled, users will be prevented from resetting their password after the configured number of failed attempts.",
"propertyOrder" : 201,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.",
"propertyOrder" : 180,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who reset passwords must perform email address verification.",
"propertyOrder" : 190,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten password reset, in seconds.<p><p>Specify a value from <code>0</code> to <code>2147483647</code>.",
"propertyOrder" : 210,
"required" : false,
"type" : "integer"
},
"forgottenPasswordKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten password process.",
"propertyOrder" : 200,
"required" : false,
"type" : "boolean"
},
"numberOfAllowedAttempts" : {
"title" : "Lock Out After number of attempts",
"description" : "Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.",
"propertyOrder" : 202,
"required" : false,
"type" : "integer"
},
"forgottenPasswordEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the forgotten password email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 230,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the forgotten password email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 220,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userRegistration" : {
"type" : "object",
"title" : "User Registration",
"propertyOrder" : 1,
"properties" : {
"userRegistrationEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the User Self-Registration verification email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 140,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEnabled" : {
"title" : "User Registration",
"description" : "If enabled, new users can sign up for an account.",
"propertyOrder" : 90,
"required" : true,
"type" : "boolean"
},
"userRegistrationEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the User Self-Registration verification email body text. Format is: <code>locale|body text</code>.",
"propertyOrder" : 150,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the action to be taken after a user successfully registers a new account. Choose from:<ul><li><code>default</code>. User is sent to a success page without being logged in.</li><li><code>login</code>. User is sent to the login page to authenticate.</li><li><code>autologin</code>. User is automatically logged in and sent to the appropriate page.</li></ul>",
"propertyOrder" : 161,
"required" : true,
"type" : "string"
},
"userRegistrationEmailVerificationFirstEnabled" : {
"title" : "Verify Email before User Detail",
"description" : "If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must set up their security questions during the self-registration process.",
"propertyOrder" : 120,
"required" : false,
"type" : "boolean"
},
"userRegistrationCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"userRegistrationEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who self-register must perform email address verification.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationValidUserAttributes" : {
"title" : "Valid Creation Attributes",
"description" : "Specifies a whitelist of user attributes that can be set during user creation.",
"propertyOrder" : 160,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime of the token allowing User Self-Registration, in seconds.",
"propertyOrder" : 130,
"required" : false,
"type" : "integer"
}
}
},
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"minimumAnswersToDefine" : {
"title" : "Minimum Answers to Define",
"description" : "Specifies the minimum number of KBA answers that users must define.",
"propertyOrder" : 60,
"required" : false,
"type" : "integer"
},
"signingSecretKeyAlias" : {
"title" : "Signing Secret Key Alias",
"description" : "A signing secret key alias in the OpenAM server's JCEKS keystore. Used to sign the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 10,
"required" : true,
"type" : "string",
"exampleValue" : "selfservicesigntest"
},
"minimumAnswersToVerify" : {
"title" : "Minimum Answers to Verify",
"description" : "Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from <code>0</code> to <code>50</code>.",
"propertyOrder" : 70,
"required" : false,
"type" : "integer"
},
"encryptionKeyPairAlias" : {
"title" : "Encryption Key Pair Alias",
"description" : "An encryption key alias in the OpenAM server's JCEKS keystore. Used to encrypt the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 0,
"required" : true,
"type" : "string",
"exampleValue" : "selfserviceenctest"
},
"captchaSiteKey" : {
"title" : "Google reCAPTCHA Site Key",
"description" : "Google reCAPTCHA plugin site key.",
"propertyOrder" : 20,
"required" : false,
"type" : "string"
},
"captchaVerificationUrl" : {
"title" : "Google Re-captcha Verification URL",
"description" : "Google reCAPTCHA plugin verification URL.",
"propertyOrder" : 40,
"required" : false,
"type" : "string"
},
"validQueryAttributes" : {
"title" : "Valid Query Attributes",
"description" : "Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.",
"propertyOrder" : 80,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"captchaSecretKey" : {
"title" : "Google reCAPTCHA Secret Key",
"description" : "Google reCAPTCHA plugin secret key.",
"propertyOrder" : 30,
"required" : false,
"type" : "string"
},
"kbaQuestions" : {
"title" : "Security Questions",
"description" : "Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.<p><p>Format is <code>unique key|locale|question</code>.",
"propertyOrder" : 50,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"forgottenUsername" : {
"type" : "object",
"title" : "Forgotten Username",
"propertyOrder" : 3,
"properties" : {
"forgottenUsernameEmailUsernameEnabled" : {
"title" : "Email Username",
"description" : "If enabled, users receive their forgotten username by email.",
"propertyOrder" : 270,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameShowUsernameEnabled" : {
"title" : "Show Username",
"description" : "If enabled, users see their forgotten username on the browser page.",
"propertyOrder" : 280,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.",
"propertyOrder" : 250,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEnabled" : {
"title" : "Forgotten Username",
"description" : "If enabled, users can retrieve their forgotten username.",
"propertyOrder" : 240,
"required" : true,
"type" : "boolean"
},
"forgottenUsernameKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten username process.",
"propertyOrder" : 260,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameTokenTTL" : {
"title" : "Token LifeTime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten username, in seconds.",
"propertyOrder" : 290,
"required" : false,
"type" : "integer"
},
"forgottenUsernameEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customizes the forgotten username email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 310,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customizes the forgotten username email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedConfig" : {
"type" : "object",
"title" : "Advanced Configuration",
"propertyOrder" : 5,
"properties" : {
"userRegistrationServiceConfigClass" : {
"title" : "User Registration Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"forgottenUsernameServiceConfigClass" : {
"title" : "Forgotten Username Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
},
"userRegistrationConfirmationUrl" : {
"title" : "User Registration Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives during the self-registration process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 330,
"required" : false,
"type" : "string"
},
"forgottenPasswordConfirmationUrl" : {
"title" : "Forgotten Password Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"forgottenPasswordServiceConfigClass" : {
"title" : "Forgotten Password Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 360,
"required" : false,
"type" : "string"
}
}
},
"profileManagement" : {
"type" : "object",
"title" : "Profile Management",
"propertyOrder" : 4,
"properties" : {
"profileProtectedUserAttributes" : {
"title" : "Protected Update Attributes",
"description" : "Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/session
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"stateless" : {
"type" : "object",
"title" : "Client-based Sessions",
"propertyOrder" : 4,
"properties" : {
"openam-session-stateless-blacklist-cache-size" : {
"title" : "Session Blacklist Cache Size",
"description" : "Number of blacklisted sessions to cache in memory to speed up blacklist checks and reduce load on the CTS. The cache size should be approximately the number of logouts expected in the maximum session time.",
"propertyOrder" : 2700,
"required" : true,
"type" : "integer"
},
"openam-session-stateless-blacklist-poll-interval" : {
"title" : "Blacklist Poll Interval (seconds)",
"description" : "Specifies the interval at which AM polls the Core Token Service to update the list of logged out sessions, in seconds.<br><br>The longer the polling interval, the more time a malicious user has to connect to other AM servers in a deployment and make use of a stolen session cookie. Shortening the polling interval improves the security for logged out sessions, but might incur a minimal decrease in overall AM performance due to increased network activity. Set to <code>0</code> to disable this feature completely.",
"propertyOrder" : 2800,
"required" : true,
"type" : "integer"
},
"openam-session-stateless-blacklist-purge-delay" : {
"title" : "Blacklist Purge Delay (minutes)",
"description" : "When added to the maximum session time, specifies the amount of time that AM tracks logged out sessions.<br><br>Increase the blacklist purge delay if you expect system clock skews in a deployment of AM servers to be greater than one minute. There is no need to increase the blacklist purge delay for servers running a clock synchronization protocol, such as Network Time Protocol.",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"statelessSigningHmacSecret" : {
"title" : "Signing HMAC Shared Secret",
"description" : "Specifies the shared secret that AM uses when performing HMAC signing on the session JWT.<p><p>Specify a shared secret when using a \"Signing Algorithm Type\" of <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string",
"format" : "password"
},
"statelessEncryptionAesKey" : {
"title" : "Encryption Symmetric AES Key",
"description" : "AES key for use with Direct or AES KeyWrap encryption modes.<br><br>The symmetric AES key is a base64-encoded random key.<p><p>For direct encryption with <code>AES-GCM</code> or for <code>AES-KeyWrap</code> with any content encryption method, this should be 128, 192, or 256 bits.<p><p>For direct encryption with <code>AES-CBC-HMAC</code>, the key should be double those sizes (one half for the AES key, the other have for the HMAC key).<p><p>AES key sizes greater than 128 bits require installation of the JCE Unlimited Strength policy files in your JRE.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string",
"format" : "password"
},
"statelessSigningType" : {
"title" : "Signing Algorithm Type",
"description" : "Specifies the algorithm that AM uses to sign the JSON Web Token (JWT) containing the session content. Signing the JWT enables tampering detection.<br><br>AM supports the following signing algorithms: <ul><li><strong>HS256</strong>. HMAC using SHA-256.</li><li><strong>HS384</strong>. HMAC using SHA-384.</li><li><strong>HS512</strong>. HMAC using SHA-512.</li><li><strong>RS256</strong>. RSASSA-PKCS1-v1_5 using SHA-256.</li><li><strong>ES256</strong>. ECDSA using SHA-256 and NIST standard P-256 elliptic curve.</li><li><strong>ES384</strong>. ECDSA using SHA-384 and NIST standard P-384 elliptic curve.</li><li><strong>ES512</strong>. ECDSA using SHA-512 and NIST standard P-521 elliptic curve.</li></ul>",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"statelessCompressionType" : {
"title" : "Compression Algorithm",
"description" : "If enabled the session state is compressed before signing and encryption.<br><br><strong>WARNING</strong>: Enabling compression may compromise encryption. This may leak information about the content of the session state if encryption is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"openam-session-stateless-enable-session-blacklisting" : {
"title" : "Enable Session Blacklisting",
"description" : "Blacklists client-based sessions that log out.<br><br>We recommend enabling this setting if the maximum session time is high. Blacklist state is stored in the Core Token Service (CTS) token store until the session expires, in order to ensure that sessions cannot continue to be used. Requires a server restart for changes to take effect.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"statelessSigningRsaCertAlias" : {
"title" : "Signing RSA/ECDSA Certificate Alias",
"description" : "Specify the alias of a certificate containing a public/private key pair that AM uses when performing RSA or ECDSA signing on the session JWT. Specify a signing certificate alias when using a \"Signing Algorithm Type\" of <code>RS256</code>, <code>ES256</code>, <code>ES384</code>, or <code>ES512</code>.<br><br>The certificate is retrieved from the keystore specified by the <code>com.sun.identity.saml.xmlsig.keystore</code> property.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"statelessEncryptionType" : {
"title" : "Encryption Algorithm",
"description" : "Specifies the algorithm that AM uses to encrypt the JSON Web Token (JWT) containing the session content.<br><br>AM supports the following encryption algorithms:<ul><li><strong>NONE</strong>. No encryption is selected.</li><li><strong>RSA</strong>. Session content is encrypted with AES using a unique key. The key is then encrypted with an RSA public key and appended to the JWT.<p><p>AM supports the following padding modes, which you can set using the <code>org.forgerock.openam.session.stateless.rsa.padding</code> advanced property:<ul><li><code>RSA1_5</code>. RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code>. RSA with optimal asymmetric encryption padding (OAEP) and SHA-1.</li><li><code>RSA-OAEP-256</code>. RSA with OAEP padding and SHA-256.</li></ul></li><li><strong>AES KeyWrapping</strong>. Session content is encrypted with AES using a unique key and is then wrapped using AES KeyWrap and the master key. This provides additional security, compared to RSA, at the cost of 128 or 256 bits (or 32 bytes) depending on the size of the master key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT. See <a href=\"https://tools.ietf.org/html/rfc3394\" target=\"_blank\">RFC 3394</a>.</li><li><strong>Direct AES Encryption</strong>. Session content is encrypted with direct AES encryption with a symmetric key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT. </li></ul><p><p><strong>Important</strong>: To prevent users from accidentally disabling all authentication support, which can be accomplished by disabling signing and not using an authenticated encryption mode, you must set the <code>org.forgerock.openam.session.stateless.signing.allownone</code> system property to <code>true</code> to turn off signing completely.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"statelessEncryptionRsaCertAlias" : {
"title" : "Encryption RSA Certificate Alias",
"description" : "Specifies the alias of a certificate containing a public/private key pair that AM uses when encrypting a JWT. Specify an encryption certificate alias when using an Encryption Algorithm Type of <code>RSA</code>.<br><br>The certificate is retrieved from the keystore referenced by the <code>com.sun.identity.saml.xmlsig.keystore</code> property.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"quotas" : {
"type" : "object",
"title" : "Session Quotas",
"propertyOrder" : 3,
"properties" : {
"behaviourWhenQuotaExhausted" : {
"title" : "Resulting behavior if session quota exhausted",
"description" : "Specify the action to take if a session quota is exhausted:<ul><li><strong>Deny Access</strong>. New session creation requests will be denied.</li><li><strong>Destroy Next Expiring</strong>. The session that would expire next will be destroyed.</li><li><strong>Destroy Oldest</strong>. The oldest session will be destroyed.</li><li><strong>Destroy All</strong>. All previous sessions will be destroyed.</li></ul>",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"iplanet-am-session-enable-session-constraint" : {
"title" : "Enable Quota Constraints",
"description" : "If on, then OpenAM allows you to set quota constraints on stateful sessions.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"denyLoginWhenRepoDown" : {
"title" : "Deny user login when session repository is down",
"description" : "This property only takes effect when the session quota constraint is enabled, and the session data store is unavailable.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"quotaConstraintMaxWaitTime" : {
"title" : "Read Timeout for Quota Constraint",
"description" : "Maximum wait time after which OpenAM considers a search for live session count as having failed if quota constraints are enabled, in milliseconds.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
}
}
},
"iplanet-am-session-constraint-resulting-behavior" : {
"title" : "Resulting behavior if session quota exhausted",
"description" : "Specify the action to take if a session quota is exhausted:<ul><li><strong>Deny Access</strong>. New session creation requests will be denied.</li><li><strong>Destroy Next Expiring</strong>. The session that would expire next will be destroyed.</li><li><strong>Destroy Oldest</strong>. The oldest session will be destroyed.</li><li><strong>Destroy All</strong>. All previous sessions will be destroyed.</li></ul>",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"search" : {
"type" : "object",
"title" : "Session Search",
"propertyOrder" : 1,
"properties" : {
"sessionListRetrievalTimeout" : {
"title" : "Timeout for Search",
"description" : "Time after which OpenAM sees an incomplete search as having failed, in seconds.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"maxSessionListSize" : {
"title" : "Maximum Number of Search Results",
"description" : "Maximum number of results from a session search. Do not set this attribute to a large value, for example more than 1000, unless sufficient system resources are allocated.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"notifications" : {
"type" : "object",
"title" : "Session Property Change Notifications",
"propertyOrder" : 2,
"properties" : {
"propertyChangeNotifications" : {
"title" : "Enable Property Change Notifications",
"description" : "If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes on a stateful session.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"notificationPropertyList" : {
"title" : "Notification Properties",
"description" : "Lists session properties for which OpenAM can send notifications upon modification. Session notification applies to stateful sessions only.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"latestAccessTimeUpdateFrequency" : {
"title" : "Latest Access Time Update Frequency",
"description" : "Defaults to <code>60</code> seconds. At most, AM updates a session's latest access time this often.<br><br>Subsequent touches to the session that occur within the specified number of seconds after an update will not cause additional updates to the session's access time.<p><p>Refreshing a session returns the idle time as the number of seconds since an update has occurred, which will be between <code>0</code> and the specified Latest Access Time Update Frequency.",
"required" : true,
"type" : "integer"
},
"dnRestrictionOnly" : {
"title" : "DN Restriction Only Enabled",
"description" : "If enabled, OpenAM will not perform DNS lookups when checking restrictions in cookie hijacking mode.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"timeoutHandlers" : {
"title" : "Session Timeout Handler implementations",
"description" : "Lists plugin classes implementing session timeout handlers. Specify the fully qualified name.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"dynamic" : {
"properties" : {
"maxSessionTime" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxCachingTime" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"maxIdleTime" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"quotaLimit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"stateless" : {
"type" : "object",
"title" : "Client-based Sessions",
"propertyOrder" : 4,
"properties" : {
"openam-session-stateless-blacklist-cache-size" : {
"title" : "Session Blacklist Cache Size",
"description" : "Number of blacklisted sessions to cache in memory to speed up blacklist checks and reduce load on the CTS. The cache size should be approximately the number of logouts expected in the maximum session time.",
"propertyOrder" : 2700,
"required" : true,
"type" : "integer"
},
"openam-session-stateless-blacklist-poll-interval" : {
"title" : "Blacklist Poll Interval (seconds)",
"description" : "Specifies the interval at which AM polls the Core Token Service to update the list of logged out sessions, in seconds.<br><br>The longer the polling interval, the more time a malicious user has to connect to other AM servers in a deployment and make use of a stolen session cookie. Shortening the polling interval improves the security for logged out sessions, but might incur a minimal decrease in overall AM performance due to increased network activity. Set to <code>0</code> to disable this feature completely.",
"propertyOrder" : 2800,
"required" : true,
"type" : "integer"
},
"openam-session-stateless-blacklist-purge-delay" : {
"title" : "Blacklist Purge Delay (minutes)",
"description" : "When added to the maximum session time, specifies the amount of time that AM tracks logged out sessions.<br><br>Increase the blacklist purge delay if you expect system clock skews in a deployment of AM servers to be greater than one minute. There is no need to increase the blacklist purge delay for servers running a clock synchronization protocol, such as Network Time Protocol.",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"statelessSigningHmacSecret" : {
"title" : "Signing HMAC Shared Secret",
"description" : "Specifies the shared secret that AM uses when performing HMAC signing on the session JWT.<p><p>Specify a shared secret when using a \"Signing Algorithm Type\" of <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string",
"format" : "password"
},
"statelessEncryptionAesKey" : {
"title" : "Encryption Symmetric AES Key",
"description" : "AES key for use with Direct or AES KeyWrap encryption modes.<br><br>The symmetric AES key is a base64-encoded random key.<p><p>For direct encryption with <code>AES-GCM</code> or for <code>AES-KeyWrap</code> with any content encryption method, this should be 128, 192, or 256 bits.<p><p>For direct encryption with <code>AES-CBC-HMAC</code>, the key should be double those sizes (one half for the AES key, the other have for the HMAC key).<p><p>AES key sizes greater than 128 bits require installation of the JCE Unlimited Strength policy files in your JRE.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string",
"format" : "password"
},
"statelessSigningType" : {
"title" : "Signing Algorithm Type",
"description" : "Specifies the algorithm that AM uses to sign the JSON Web Token (JWT) containing the session content. Signing the JWT enables tampering detection.<br><br>AM supports the following signing algorithms: <ul><li><strong>HS256</strong>. HMAC using SHA-256.</li><li><strong>HS384</strong>. HMAC using SHA-384.</li><li><strong>HS512</strong>. HMAC using SHA-512.</li><li><strong>RS256</strong>. RSASSA-PKCS1-v1_5 using SHA-256.</li><li><strong>ES256</strong>. ECDSA using SHA-256 and NIST standard P-256 elliptic curve.</li><li><strong>ES384</strong>. ECDSA using SHA-384 and NIST standard P-384 elliptic curve.</li><li><strong>ES512</strong>. ECDSA using SHA-512 and NIST standard P-521 elliptic curve.</li></ul>",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"statelessCompressionType" : {
"title" : "Compression Algorithm",
"description" : "If enabled the session state is compressed before signing and encryption.<br><br><strong>WARNING</strong>: Enabling compression may compromise encryption. This may leak information about the content of the session state if encryption is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"openam-session-stateless-enable-session-blacklisting" : {
"title" : "Enable Session Blacklisting",
"description" : "Blacklists client-based sessions that log out.<br><br>We recommend enabling this setting if the maximum session time is high. Blacklist state is stored in the Core Token Service (CTS) token store until the session expires, in order to ensure that sessions cannot continue to be used. Requires a server restart for changes to take effect.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"statelessSigningRsaCertAlias" : {
"title" : "Signing RSA/ECDSA Certificate Alias",
"description" : "Specify the alias of a certificate containing a public/private key pair that AM uses when performing RSA or ECDSA signing on the session JWT. Specify a signing certificate alias when using a \"Signing Algorithm Type\" of <code>RS256</code>, <code>ES256</code>, <code>ES384</code>, or <code>ES512</code>.<br><br>The certificate is retrieved from the keystore specified by the <code>com.sun.identity.saml.xmlsig.keystore</code> property.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"statelessEncryptionType" : {
"title" : "Encryption Algorithm",
"description" : "Specifies the algorithm that AM uses to encrypt the JSON Web Token (JWT) containing the session content.<br><br>AM supports the following encryption algorithms:<ul><li><strong>NONE</strong>. No encryption is selected.</li><li><strong>RSA</strong>. Session content is encrypted with AES using a unique key. The key is then encrypted with an RSA public key and appended to the JWT.<p><p>AM supports the following padding modes, which you can set using the <code>org.forgerock.openam.session.stateless.rsa.padding</code> advanced property:<ul><li><code>RSA1_5</code>. RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code>. RSA with optimal asymmetric encryption padding (OAEP) and SHA-1.</li><li><code>RSA-OAEP-256</code>. RSA with OAEP padding and SHA-256.</li></ul></li><li><strong>AES KeyWrapping</strong>. Session content is encrypted with AES using a unique key and is then wrapped using AES KeyWrap and the master key. This provides additional security, compared to RSA, at the cost of 128 or 256 bits (or 32 bytes) depending on the size of the master key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT. See <a href=\"https://tools.ietf.org/html/rfc3394\" target=\"_blank\">RFC 3394</a>.</li><li><strong>Direct AES Encryption</strong>. Session content is encrypted with direct AES encryption with a symmetric key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT. </li></ul><p><p><strong>Important</strong>: To prevent users from accidentally disabling all authentication support, which can be accomplished by disabling signing and not using an authenticated encryption mode, you must set the <code>org.forgerock.openam.session.stateless.signing.allownone</code> system property to <code>true</code> to turn off signing completely.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"statelessEncryptionRsaCertAlias" : {
"title" : "Encryption RSA Certificate Alias",
"description" : "Specifies the alias of a certificate containing a public/private key pair that AM uses when encrypting a JWT. Specify an encryption certificate alias when using an Encryption Algorithm Type of <code>RSA</code>.<br><br>The certificate is retrieved from the keystore referenced by the <code>com.sun.identity.saml.xmlsig.keystore</code> property.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"quotas" : {
"type" : "object",
"title" : "Session Quotas",
"propertyOrder" : 3,
"properties" : {
"behaviourWhenQuotaExhausted" : {
"title" : "Resulting behavior if session quota exhausted",
"description" : "Specify the action to take if a session quota is exhausted:<ul><li><strong>Deny Access</strong>. New session creation requests will be denied.</li><li><strong>Destroy Next Expiring</strong>. The session that would expire next will be destroyed.</li><li><strong>Destroy Oldest</strong>. The oldest session will be destroyed.</li><li><strong>Destroy All</strong>. All previous sessions will be destroyed.</li></ul>",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"iplanet-am-session-enable-session-constraint" : {
"title" : "Enable Quota Constraints",
"description" : "If on, then OpenAM allows you to set quota constraints on stateful sessions.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"denyLoginWhenRepoDown" : {
"title" : "Deny user login when session repository is down",
"description" : "This property only takes effect when the session quota constraint is enabled, and the session data store is unavailable.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"quotaConstraintMaxWaitTime" : {
"title" : "Read Timeout for Quota Constraint",
"description" : "Maximum wait time after which OpenAM considers a search for live session count as having failed if quota constraints are enabled, in milliseconds.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
}
}
},
"iplanet-am-session-constraint-resulting-behavior" : {
"title" : "Resulting behavior if session quota exhausted",
"description" : "Specify the action to take if a session quota is exhausted:<ul><li><strong>Deny Access</strong>. New session creation requests will be denied.</li><li><strong>Destroy Next Expiring</strong>. The session that would expire next will be destroyed.</li><li><strong>Destroy Oldest</strong>. The oldest session will be destroyed.</li><li><strong>Destroy All</strong>. All previous sessions will be destroyed.</li></ul>",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"search" : {
"type" : "object",
"title" : "Session Search",
"propertyOrder" : 1,
"properties" : {
"sessionListRetrievalTimeout" : {
"title" : "Timeout for Search",
"description" : "Time after which OpenAM sees an incomplete search as having failed, in seconds.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"maxSessionListSize" : {
"title" : "Maximum Number of Search Results",
"description" : "Maximum number of results from a session search. Do not set this attribute to a large value, for example more than 1000, unless sufficient system resources are allocated.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"notifications" : {
"type" : "object",
"title" : "Session Property Change Notifications",
"propertyOrder" : 2,
"properties" : {
"propertyChangeNotifications" : {
"title" : "Enable Property Change Notifications",
"description" : "If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes on a stateful session.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"notificationPropertyList" : {
"title" : "Notification Properties",
"description" : "Lists session properties for which OpenAM can send notifications upon modification. Session notification applies to stateful sessions only.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"latestAccessTimeUpdateFrequency" : {
"title" : "Latest Access Time Update Frequency",
"description" : "Defaults to <code>60</code> seconds. At most, AM updates a session's latest access time this often.<br><br>Subsequent touches to the session that occur within the specified number of seconds after an update will not cause additional updates to the session's access time.<p><p>Refreshing a session returns the idle time as the number of seconds since an update has occurred, which will be between <code>0</code> and the specified Latest Access Time Update Frequency.",
"required" : true,
"type" : "integer"
},
"dnRestrictionOnly" : {
"title" : "DN Restriction Only Enabled",
"description" : "If enabled, OpenAM will not perform DNS lookups when checking restrictions in cookie hijacking mode.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"timeoutHandlers" : {
"title" : "Session Timeout Handler implementations",
"description" : "Lists plugin classes implementing session timeout handlers. Specify the fully qualified name.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"dynamic" : {
"properties" : {
"maxSessionTime" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxCachingTime" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"maxIdleTime" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"quotaLimit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/socialauthentication
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"displayNames" : {
"title" : "Display Names",
"description" : "The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>Google</td></tr></table>",
"propertyOrder" : 100,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"icons" : {
"title" : "Icons",
"description" : "Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>/images/google-sign-in.png</td></tr></table>",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationChains" : {
"title" : "Authentication Chains",
"description" : "The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>socialAuthChainGoogle</td></tr></table>",
"propertyOrder" : 200,
"required" : true,
"type" : "object"
},
"enabledKeys" : {
"title" : "Enabled Implementations",
"description" : "Provide a key that has been used to define the settings above to enable that set of settings.<br><br>For example: google",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"displayNames" : {
"title" : "Display Names",
"description" : "The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>Google</td></tr></table>",
"propertyOrder" : 100,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"icons" : {
"title" : "Icons",
"description" : "Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>/images/google-sign-in.png</td></tr></table>",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationChains" : {
"title" : "Authentication Chains",
"description" : "The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>socialAuthChainGoogle</td></tr></table>",
"propertyOrder" : 200,
"required" : true,
"type" : "object"
},
"enabledKeys" : {
"title" : "Enabled Implementations",
"description" : "Provide a key that has been used to define the settings above to enable that set of settings.<br><br>For example: google",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/transaction
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"timeToLive" : {
"title" : "Time to Live",
"description" : "The number of seconds within which the transaction must be completed.",
"propertyOrder" : 0,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"timeToLive" : {
"title" : "Time to Live",
"description" : "The number of seconds within which the transaction must be completed.",
"propertyOrder" : 0,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/uma
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"permissionTicketLifetime" : {
"title" : "Permission Ticket Lifetime (seconds)",
"description" : "The maximum life of a permission ticket before it expires, in seconds.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"emailRequestingPartyOnPendingRequestApproval" : {
"title" : "Email Requesting Party on Pending Request approval",
"description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"userProfileLocaleAttribute" : {
"title" : "User profile preferred Locale attribute",
"description" : "User profile attribute storing the user's preferred locale.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"resharingMode" : {
"title" : "Re-Sharing Mode",
"description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resource sets that have been shared with them.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"grantRptConditions" : {
"title" : "Grant RPTs...",
"description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"emailResourceOwnerOnPendingRequestCreation" : {
"title" : "Email Resource Owner on Pending Request creation",
"description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"deleteResourceSetsOnDeleteRS" : {
"title" : "Delete resource sets when Resource Server is removed",
"description" : "Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"pendingRequestsEnabled" : {
"title" : "Pending Requests Enabled",
"description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
"propertyOrder" : 450,
"required" : true,
"type" : "boolean"
},
"deletePoliciesOnDeleteRS" : {
"title" : "Delete user policies when Resource Server is removed",
"description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"permissionTicketLifetime" : {
"title" : "Permission Ticket Lifetime (seconds)",
"description" : "The maximum life of a permission ticket before it expires, in seconds.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"emailRequestingPartyOnPendingRequestApproval" : {
"title" : "Email Requesting Party on Pending Request approval",
"description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"userProfileLocaleAttribute" : {
"title" : "User profile preferred Locale attribute",
"description" : "User profile attribute storing the user's preferred locale.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"resharingMode" : {
"title" : "Re-Sharing Mode",
"description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resource sets that have been shared with them.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"grantRptConditions" : {
"title" : "Grant RPTs...",
"description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"emailResourceOwnerOnPendingRequestCreation" : {
"title" : "Email Resource Owner on Pending Request creation",
"description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"deleteResourceSetsOnDeleteRS" : {
"title" : "Delete resource sets when Resource Server is removed",
"description" : "Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"pendingRequestsEnabled" : {
"title" : "Pending Requests Enabled",
"description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
"propertyOrder" : 450,
"required" : true,
"type" : "boolean"
},
"deletePoliciesOnDeleteRS" : {
"title" : "Delete user policies when Resource Server is removed",
"description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/user
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"adminDNStartingView" : {
"title" : "Administrator DN Starting View",
"description" : "Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"defaultUserStatus" : {
"title" : "Default User Status",
"description" : "Inactive users cannot authenticate, though OpenAM stores their profiles.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"preferredTimezone" : {
"title" : "User Preferred Timezone",
"description" : "Time zone for accessing OpenAM console.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"adminDNStartingView" : {
"title" : "Administrator DN Starting View",
"description" : "Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"defaultUserStatus" : {
"title" : "Default User Status",
"description" : "Inactive users cannot authenticate, though OpenAM stores their profiles.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"preferredTimezone" : {
"title" : "User Preferred Timezone",
"description" : "Time zone for accessing OpenAM console.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/services/validation
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"validGotoDestinations" : {
"title" : "Valid goto URL Resources",
"description" : "List of valid goto URL resources.<br><br>OpenAM's default behavior after login or logout is to redirect the user to the URL specified in the <code>goto</code> or <code>gotoOnFail</code> query string parameters supplied to the authentication interface during login or logout. <p><p>To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the <code>goto</code> and <code>gotoOnFail</code> URL against them. <p><p>OpenAM will only redirect a user after login or logout if the URL matches any of the resources specified in this property. If the URL does not match, the user is redirected to either the user profile page or administration console after login, or the logged out page after logout. If this property is not set, it is assumed that all redirect URLs are valid.<p><p>The resources defined here can have the <code>*</code> wildcard defined, which matches all characters except <code>?</code>. Example values for this setting:<ul><li><code>http://app.example.com:80/*</code></li><li><code>http://app.example.com:80/*?*</code></li></ul>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"validGotoDestinations" : {
"title" : "Valid goto URL Resources",
"description" : "List of valid goto URL resources.<br><br>OpenAM's default behavior after login or logout is to redirect the user to the URL specified in the <code>goto</code> or <code>gotoOnFail</code> query string parameters supplied to the authentication interface during login or logout. <p><p>To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the <code>goto</code> and <code>gotoOnFail</code> URL against them. <p><p>OpenAM will only redirect a user after login or logout if the URL matches any of the resources specified in this property. If the URL does not match, the user is redirected to either the user profile page or administration console after login, or the logged out page after logout. If this property is not set, it is assumed that all redirect URLs are valid.<p><p>The resources defined here can have the <code>*</code> wildcard defined, which matches all characters except <code>?</code>. Example values for this setting:<ul><li><code>http://app.example.com:80/*</code></li><li><code>http://app.example.com:80/*?*</code></li></ul>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/global-config/sites
1.0
This version 1.0 sites service represents a Sites resource with CQ operations on the users collection and CRUDPA operations available for the site item. Items can have server version 1.0 subresources.
Create
Create new site entry
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema.",
"type" : "object",
"title" : "Site schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Name",
"description" : "Site name."
},
"id" : {
"type" : "string",
"title" : "Site id",
"description" : "Site's unique identifier.",
"javaName" : "siteId"
},
"url" : {
"type" : "string",
"title" : "Primary URL",
"description" : "Site primary URL."
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Secondary URLs for this site.",
"items" : {
"type" : "string"
}
},
"servers" : {
"type" : "array",
"title" : "Assigned Servers",
"description" : "Servers assigned to this site.",
"items" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"title" : "Server id",
"description" : "Server's unique identifier for the site."
},
"url" : {
"type" : "string",
"title" : "Server URL",
"description" : "Server URL of the site"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Internal server error happened during the read process. Cause can be: * Site with id already exists * Could not create site * Could not read site just created |
Action: schema
Sites schema action that returns the sites schema json
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema action response schema.",
"type" : "object",
"title" : "Site schema action schema"
}
Action: template
Sites template action that returns a template json object for site insert
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site action template response schema.",
"type" : "object",
"title" : "Site template action schema",
"properties" : {
"url" : {
"type" : "string",
"title" : "Site URL",
"description" : "Site primary URL."
},
"servers" : {
"type" : "array",
"title" : "Servers",
"description" : "Site servers.",
"items" : {
"type" : "string"
}
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Site secondary URLs.",
"items" : {
"type" : "string"
}
}
}
}
Query by Filter
Query the collection of site entries
| Stability | MVCC | Queryable Fields | Paging Modes | Page Count Policies |
|---|---|---|---|---|
STABLE |
⃠ |
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema.",
"type" : "object",
"title" : "Site schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Name",
"description" : "Site name."
},
"id" : {
"type" : "string",
"title" : "Site id",
"description" : "Site's unique identifier.",
"javaName" : "siteId"
},
"url" : {
"type" : "string",
"title" : "Primary URL",
"description" : "Site primary URL."
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Secondary URLs for this site.",
"items" : {
"type" : "string"
}
},
"servers" : {
"type" : "array",
"title" : "Assigned Servers",
"description" : "Servers assigned to this site.",
"items" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"title" : "Server id",
"description" : "Server's unique identifier for the site."
},
"url" : {
"type" : "string",
"title" : "Server URL",
"description" : "Server URL of the site"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Query only supports |
|
Internal server error happened during the query process. Could not read site |
/global-config/sites/{sitesId}
1.0
This version 1.0 sites service represents a Sites resource with CQ operations on the users collection and CRUDPA operations available for the site item. Items can have server version 1.0 subresources.
Create
Create new site entry
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The site name from the path |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema.",
"type" : "object",
"title" : "Site schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Name",
"description" : "Site name."
},
"id" : {
"type" : "string",
"title" : "Site id",
"description" : "Site's unique identifier.",
"javaName" : "siteId"
},
"url" : {
"type" : "string",
"title" : "Primary URL",
"description" : "Site primary URL."
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Secondary URLs for this site.",
"items" : {
"type" : "string"
}
},
"servers" : {
"type" : "array",
"title" : "Assigned Servers",
"description" : "Servers assigned to this site.",
"items" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"title" : "Server id",
"description" : "Server's unique identifier for the site."
},
"url" : {
"type" : "string",
"title" : "Server URL",
"description" : "Server URL of the site"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Internal server error happened during the read process. Cause can be: * Site with id already exists * Could not create site * Could not read site just created |
Read
Read a site entry
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The site name from the path |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema.",
"type" : "object",
"title" : "Site schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Name",
"description" : "Site name."
},
"id" : {
"type" : "string",
"title" : "Site id",
"description" : "Site's unique identifier.",
"javaName" : "siteId"
},
"url" : {
"type" : "string",
"title" : "Primary URL",
"description" : "Site primary URL."
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Secondary URLs for this site.",
"items" : {
"type" : "string"
}
},
"servers" : {
"type" : "array",
"title" : "Assigned Servers",
"description" : "Servers assigned to this site.",
"items" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"title" : "Server id",
"description" : "Server's unique identifier for the site."
},
"url" : {
"type" : "string",
"title" : "Server URL",
"description" : "Server URL of the site"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Invalid ssoToken |
|
Cannot find site |
|
Internal server error happened during the query process. Cause can be: * Error reading configuration for site * Error reading SMS |
Update
Update a site entry
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The site name from the path |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema.",
"type" : "object",
"title" : "Site schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Name",
"description" : "Site name."
},
"id" : {
"type" : "string",
"title" : "Site id",
"description" : "Site's unique identifier.",
"javaName" : "siteId"
},
"url" : {
"type" : "string",
"title" : "Primary URL",
"description" : "Site primary URL."
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Secondary URLs for this site.",
"items" : {
"type" : "string"
}
},
"servers" : {
"type" : "array",
"title" : "Assigned Servers",
"description" : "Servers assigned to this site.",
"items" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"title" : "Server id",
"description" : "Server's unique identifier for the site."
},
"url" : {
"type" : "string",
"title" : "Server URL",
"description" : "Server URL of the site"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Internal server error happened during the update process. Cause can be: * Could not read site * Revision did not match * Could not update site * Could not read site after just updating it |
Delete
Delete site entry
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The site name from the path |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Site schema.",
"type" : "object",
"title" : "Site schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Name",
"description" : "Site name."
},
"id" : {
"type" : "string",
"title" : "Site id",
"description" : "Site's unique identifier.",
"javaName" : "siteId"
},
"url" : {
"type" : "string",
"title" : "Primary URL",
"description" : "Site primary URL."
},
"secondaryURLs" : {
"type" : "array",
"title" : "Secondary URLs",
"description" : "Secondary URLs for this site.",
"items" : {
"type" : "string"
}
},
"servers" : {
"type" : "array",
"title" : "Assigned Servers",
"description" : "Servers assigned to this site.",
"items" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"title" : "Server id",
"description" : "Server's unique identifier for the site."
},
"url" : {
"type" : "string",
"title" : "Server URL",
"description" : "Server URL of the site"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Internal server error happened during the delete process. Cause can be: * Could not read site * Revision did not match * Site still has servers attached to it * Could not delete site |
/global-config/webhooks
1.0
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/policies
1.0
The Policy resource endpoint is responsible for managing policies. The available operations are create, read, update, delete, query, evalute action, evaluate tree action. Policies are realm specific, hence the URI for the policies API can contain a realm component. If the realm is not specified in the URI, the top level realm is used.
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Action: evaluate
Request policy decisions for specific resources
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate action schema",
"title" : "Evaluate action schema",
"type" : "object",
"properties" : {
"resources" : {
"type" : "array",
"title" : "Resources",
"description" : "Specifies the list of resources for which to return decisions",
"items" : {
"type" : "string"
}
},
"application" : {
"title" : "Application",
"description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
"type" : "string"
},
"subject" : {
"title" : "Subject",
"description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
"type" : "object",
"properties" : {
"ssoToken" : {
"title" : "SSOToken",
"description" : "The value is the SSO token ID string for the subject",
"type" : "string"
},
"jwt" : {
"title" : "JWT",
"description" : "The value is a JWT string",
"type" : "string"
},
"claims" : {
"title" : "Claims",
"description" : "The value is an object (map) of JWT claims to their values.",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"environment" : {
"title" : "Environment",
"description" : "Holds a map of keys to lists of values",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
},
"required" : [ "resources", "application" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate and evaluateTree schema response",
"title" : "Evaluate and evaluateTree schema response",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource",
"additionalProperties" : {
"type" : "boolean"
}
},
"attributes" : {
"type" : "object",
"title" : "Attributes",
"description" : "A map of attribute names to their values, if any response attributes are returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"advices" : {
"type" : "object",
"title" : "Advices",
"description" : "A map of advice names to their values, if any advice is returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
The requested action is not supported on policies |
|
Unexpected server error happened during the process |
|
Unsupported operation |
Action: evaluateTree
Request policy decisions for a tree of resources
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate tree action schema",
"title" : "Evaluate tree action schema",
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"application" : {
"title" : "Application",
"description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
"type" : "string"
},
"subject" : {
"title" : "Subject",
"description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
"type" : "object",
"properties" : {
"ssoToken" : {
"title" : "SSOToken",
"description" : "The value is the SSO token ID string for the subject",
"type" : "string"
},
"jwt" : {
"title" : "JWT",
"description" : "The value is a JWT string",
"type" : "string"
},
"claims" : {
"title" : "Claims",
"description" : "The value is an object (map) of JWT claims to their values.",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"environment" : {
"title" : "Environment",
"description" : "Holds a map of keys to lists of values",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
},
"required" : [ "resources", "application" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate and evaluateTree schema response",
"title" : "Evaluate and evaluateTree schema response",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource",
"additionalProperties" : {
"type" : "boolean"
}
},
"attributes" : {
"type" : "object",
"title" : "Attributes",
"description" : "A map of attribute names to their values, if any response attributes are returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"advices" : {
"type" : "object",
"title" : "Advices",
"description" : "A map of advice names to their values, if any advice is returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
The requested action is not supported on policies |
|
Unexpected server error happened during the process |
|
Unsupported operation |
Query by Filter
Query the stored policies
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
2.0
The Policy resource endpoint is responsible for managing policies. The available operations are create, read, update, delete, query, evalute action, evaluate tree action. Policies are realm specific, hence the URI for the policies API can contain a realm component. If the realm is not specified in the URI, the top level realm is used.
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Action: evaluate
Request policy decisions for specific resources
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate action schema",
"title" : "Evaluate action schema",
"type" : "object",
"properties" : {
"resources" : {
"type" : "array",
"title" : "Resources",
"description" : "Specifies the list of resources for which to return decisions",
"items" : {
"type" : "string"
}
},
"application" : {
"title" : "Application",
"description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
"type" : "string"
},
"subject" : {
"title" : "Subject",
"description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
"type" : "object",
"properties" : {
"ssoToken" : {
"title" : "SSOToken",
"description" : "The value is the SSO token ID string for the subject",
"type" : "string"
},
"jwt" : {
"title" : "JWT",
"description" : "The value is a JWT string",
"type" : "string"
},
"claims" : {
"title" : "Claims",
"description" : "The value is an object (map) of JWT claims to their values.",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"environment" : {
"title" : "Environment",
"description" : "Holds a map of keys to lists of values",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
},
"required" : [ "resources", "application" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate and evaluateTree schema response",
"title" : "Evaluate and evaluateTree schema response",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource",
"additionalProperties" : {
"type" : "boolean"
}
},
"attributes" : {
"type" : "object",
"title" : "Attributes",
"description" : "A map of attribute names to their values, if any response attributes are returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"advices" : {
"type" : "object",
"title" : "Advices",
"description" : "A map of advice names to their values, if any advice is returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
The requested action is not supported on policies |
|
Unexpected server error happened during the process |
|
Unsupported operation |
Action: evaluateTree
Request policy decisions for a tree of resources
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate tree action schema",
"title" : "Evaluate tree action schema",
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"application" : {
"title" : "Application",
"description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
"type" : "string"
},
"subject" : {
"title" : "Subject",
"description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
"type" : "object",
"properties" : {
"ssoToken" : {
"title" : "SSOToken",
"description" : "The value is the SSO token ID string for the subject",
"type" : "string"
},
"jwt" : {
"title" : "JWT",
"description" : "The value is a JWT string",
"type" : "string"
},
"claims" : {
"title" : "Claims",
"description" : "The value is an object (map) of JWT claims to their values.",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"environment" : {
"title" : "Environment",
"description" : "Holds a map of keys to lists of values",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
},
"required" : [ "resources", "application" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate and evaluateTree schema response",
"title" : "Evaluate and evaluateTree schema response",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource",
"additionalProperties" : {
"type" : "boolean"
}
},
"attributes" : {
"type" : "object",
"title" : "Attributes",
"description" : "A map of attribute names to their values, if any response attributes are returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"advices" : {
"type" : "object",
"title" : "Advices",
"description" : "A map of advice names to their values, if any advice is returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
The requested action is not supported on policies |
|
Unexpected server error happened during the process |
|
Unsupported operation |
Query by Filter
Query the stored policies
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
2.1
The Policy resource with copy and move support endpoint is responsible for managing policies. It supports all the operations that previous version of Policy resource endpoint supports - create, read, update, delete, query, evalute and evaluateTree action - with two new actions move and copy for copying and moving policies between realms
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Action: copy
Copy a list of policies
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Policy copy action schema",
"type" : "object",
"title" : "Policy copy action schema",
"properties" : {
"from" : {
"title" : "Copy/move from",
"description" : "Policy copy/move origin parameters",
"type" : "object",
"properties" : {
"application" : {
"title" : "Application",
"description" : "The policy set in which the input policies are located",
"type" : "string"
}
},
"required" : [ "application" ]
},
"to" : {
"type" : "object",
"title" : "Copy/Move To",
"description" : "Policy copy/move destination parameters",
"properties" : {
"application" : {
"title" : "Application",
"description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.",
"type" : "string"
},
"realm" : {
"title" : "Realm",
"description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.",
"type" : "string"
},
"namePostfix" : {
"title" : "Name postfix",
"description" : "A value appended to output policy names in order to prevent name clashes",
"type" : "string"
}
},
"required" : [ "namePostfix" ]
},
"resourceTypeMapping" : {
"title" : "Resource type mapping",
"description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
},
"required" : [ "from", "to" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * copy/move from definition is missing * copy/move from application definition is missing * copy/move to definition is missing * Policy name already exists within the realm * Invalid destination realm |
|
Permission Denied to access or create policy |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Action: evaluate
Request policy decisions for specific resources
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate action schema",
"title" : "Evaluate action schema",
"type" : "object",
"properties" : {
"resources" : {
"type" : "array",
"title" : "Resources",
"description" : "Specifies the list of resources for which to return decisions",
"items" : {
"type" : "string"
}
},
"application" : {
"title" : "Application",
"description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
"type" : "string"
},
"subject" : {
"title" : "Subject",
"description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
"type" : "object",
"properties" : {
"ssoToken" : {
"title" : "SSOToken",
"description" : "The value is the SSO token ID string for the subject",
"type" : "string"
},
"jwt" : {
"title" : "JWT",
"description" : "The value is a JWT string",
"type" : "string"
},
"claims" : {
"title" : "Claims",
"description" : "The value is an object (map) of JWT claims to their values.",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"environment" : {
"title" : "Environment",
"description" : "Holds a map of keys to lists of values",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
},
"required" : [ "resources", "application" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate and evaluateTree schema response",
"title" : "Evaluate and evaluateTree schema response",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource",
"additionalProperties" : {
"type" : "boolean"
}
},
"attributes" : {
"type" : "object",
"title" : "Attributes",
"description" : "A map of attribute names to their values, if any response attributes are returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"advices" : {
"type" : "object",
"title" : "Advices",
"description" : "A map of advice names to their values, if any advice is returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
The requested action is not supported on policies |
|
Unexpected server error happened during the process |
|
Unsupported operation |
Action: evaluateTree
Request policy decisions for a tree of resources
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate tree action schema",
"title" : "Evaluate tree action schema",
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"application" : {
"title" : "Application",
"description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
"type" : "string"
},
"subject" : {
"title" : "Subject",
"description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
"type" : "object",
"properties" : {
"ssoToken" : {
"title" : "SSOToken",
"description" : "The value is the SSO token ID string for the subject",
"type" : "string"
},
"jwt" : {
"title" : "JWT",
"description" : "The value is a JWT string",
"type" : "string"
},
"claims" : {
"title" : "Claims",
"description" : "The value is an object (map) of JWT claims to their values.",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"environment" : {
"title" : "Environment",
"description" : "Holds a map of keys to lists of values",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
},
"required" : [ "resources", "application" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Evaluate and evaluateTree schema response",
"title" : "Evaluate and evaluateTree schema response",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"resource" : {
"title" : "Resource",
"description" : "Specifies the root resource for the decisions to return",
"type" : "string"
},
"actions" : {
"type" : "object",
"title" : "Actions",
"description" : "A map of action name keys to Boolean values that indicate whether the action is allowed (true) or denied (false) for the specified resource",
"additionalProperties" : {
"type" : "boolean"
}
},
"attributes" : {
"type" : "object",
"title" : "Attributes",
"description" : "A map of attribute names to their values, if any response attributes are returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"advices" : {
"type" : "object",
"title" : "Advices",
"description" : "A map of advice names to their values, if any advice is returned according to applicable policies",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
| Code | Description |
|---|---|
|
The requested action is not supported on policies |
|
Unexpected server error happened during the process |
|
Unsupported operation |
Action: move
Move a list of policies
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Policy copy action schema",
"type" : "object",
"title" : "Policy copy action schema",
"properties" : {
"from" : {
"title" : "Copy/move from",
"description" : "Policy copy/move origin parameters",
"type" : "object",
"properties" : {
"application" : {
"title" : "Application",
"description" : "The policy set in which the input policies are located",
"type" : "string"
}
},
"required" : [ "application" ]
},
"to" : {
"type" : "object",
"title" : "Copy/Move To",
"description" : "Policy copy/move destination parameters",
"properties" : {
"application" : {
"title" : "Application",
"description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.",
"type" : "string"
},
"realm" : {
"title" : "Realm",
"description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.",
"type" : "string"
},
"namePostfix" : {
"title" : "Name postfix",
"description" : "A value appended to output policy names in order to prevent name clashes",
"type" : "string"
}
},
"required" : [ "namePostfix" ]
},
"resourceTypeMapping" : {
"title" : "Resource type mapping",
"description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
},
"required" : [ "from", "to" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * copy/move from definition is missing * copy/move from application definition is missing * copy/move to definition is missing * Policy name already exists within the realm * Invalid destination realm |
|
Permission Denied to access or create policy |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Query by Filter
Query the stored policies
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
/policies/{resourceId}
1.0
The Policy resource endpoint is responsible for managing policies. The available operations are create, read, update, delete, query, evalute action, evaluate tree action. Policies are realm specific, hence the URI for the policies API can contain a realm component. If the realm is not specified in the URI, the top level realm is used.
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Read
Read policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
Update
Update an existing policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Delete
Delete policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
2.0
The Policy resource endpoint is responsible for managing policies. The available operations are create, read, update, delete, query, evalute action, evaluate tree action. Policies are realm specific, hence the URI for the policies API can contain a realm component. If the realm is not specified in the URI, the top level realm is used.
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Read
Read policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
Update
Update an existing policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Delete
Delete policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
2.1
The Policy resource with copy and move support endpoint is responsible for managing policies. It supports all the operations that previous version of Policy resource endpoint supports - create, read, update, delete, query, evalute and evaluateTree action - with two new actions move and copy for copying and moving policies between realms
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Read
Read policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
Update
Update an existing policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Delete
Delete policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Action: copy
Copy individual policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Policy copy action schema",
"type" : "object",
"title" : "Policy copy action schema",
"properties" : {
"to" : {
"type" : "object",
"title" : "Copy/Move To",
"description" : "Policy copy/move destination parameters",
"properties" : {
"name" : {
"title" : "Name",
"description" : "The name of the output policy. Required unless you are copying or moving a policy to a different realm and you want the output policy to have the same name as the input policy.",
"type" : "string"
},
"application" : {
"title" : "Application",
"description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.",
"type" : "string"
},
"realm" : {
"title" : "Realm",
"description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.",
"type" : "string"
},
"resourceType" : {
"title" : "Resource type",
"description" : "The UUID of the output policy's resource type. Required when copying or moving a policy to a different realm.",
"type" : "string"
}
}
}
},
"required" : [ "to" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * copy/move from definition is missing * copy/move from application definition is missing * copy/move to definition is missing * Policy name already exists within the realm * Invalid destination realm |
|
Permission Denied to access or create policy |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Action: move
Move individual policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Policy copy action schema",
"type" : "object",
"title" : "Policy copy action schema",
"properties" : {
"to" : {
"type" : "object",
"title" : "Copy/Move To",
"description" : "Policy copy/move destination parameters",
"properties" : {
"name" : {
"title" : "Name",
"description" : "The name of the output policy. Required unless you are copying or moving a policy to a different realm and you want the output policy to have the same name as the input policy.",
"type" : "string"
},
"application" : {
"title" : "Application",
"description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.",
"type" : "string"
},
"realm" : {
"title" : "Realm",
"description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.",
"type" : "string"
},
"resourceType" : {
"title" : "Resource type",
"description" : "The UUID of the output policy's resource type. Required when copying or moving a policy to a different realm.",
"type" : "string"
}
}
}
},
"required" : [ "to" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * copy/move from definition is missing * copy/move from application definition is missing * copy/move to definition is missing * Policy name already exists within the realm * Invalid destination realm |
|
Permission Denied to access or create policy |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
/push/sns/message
1.0
Push Authentication depends on the secure verification of information sent from the server to the client, and from the client to the server. This allows the server to verify that the notification was received by the original device, and for the device to verify that only the server sent out the original request.
This endpoint provides the place for the device to return responses to the server to requests received either by QR code or by push notification.
Action: authenticate
Message sent from device to server in response to a request for authentication sent to the device via Push notification. This message is generally sent from the ForgeRock Authenticator app.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageId" : {
"type" : "string",
"title" : "Message ID",
"description" : "Unique message identifier"
},
"jwt" : {
"type" : "string",
"title" : "JWT",
"description" : "Signed JWT containing claims:\n* `response`: Response to challenge (Base64 encoding of the HmacSHA256 hashing of the decoded shared secret and the decoded challenge)\n* `deny`: Indication that this auth attempt should be shut down (boolean)"
}
},
"required" : [ "messageId", "jwt" ]
}
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
| Code | Description |
|---|---|
|
Either the message ID was invalid, could not be found, or could not be validated using the provided claims in the JWT. |
Action: register
Message sent from device to server in response to a registration message received on the device via a QR code. This message is generally sent from the ForgeRock Authenticator app.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageId" : {
"type" : "string",
"title" : "Message ID",
"description" : "Unique message identifier"
},
"jwt" : {
"type" : "string",
"title" : "JWT",
"description" : "Signed JWT containing claims:\n* `response`: Response to challenge (Base64 encoding of the HmacSHA256 hashing of the decoded shared secret and the decoded challenge)\n* `mechanismUid`: The device-specific identifier for the just-registered mechanism (string)\n* `deviceId`: The registration token used by GCM or APNS (string)\n* `deviceType`: `android` or `ios` (string)\n* `communicationType`: `gcm` or `apns` (string)"
}
},
"required" : [ "messageId", "jwt" ]
}
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
| Code | Description |
|---|---|
|
Either the message ID was invalid, could not be found, or could not be validated using the provided claims in the JWT. |
/realm-audit/{topic}
1.0
Audit events are logged through a realm audit service.
Create
Create a new audit event, which will be handled and logged by the configured audit service.
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.",
"title" : "Audit event schema",
"type" : "object",
"properties" : {
"_id" : {
"title" : "ID",
"description" : "The ID of the event, used by all topics",
"type" : "string"
},
"timestamp" : {
"title" : "Timestamp",
"description" : "The time at which the event occurred, used by all topics",
"type" : "string"
},
"eventName" : {
"title" : "Event name",
"description" : "The name of the event, used by all topics",
"type" : "string"
},
"transactionId" : {
"title" : "Transaction ID",
"description" : "The transaction ID of the event, used by all topics",
"type" : "string"
},
"userId" : {
"title" : "User ID",
"description" : "The ID of the user responsible for the event, used by all topics",
"type" : "string"
},
"trackingIds" : {
"title" : "Tracking IDs",
"description" : "The tracking IDs of the event, used by all topics",
"type" : "array",
"items" : {
"id" : "0",
"type" : "string"
}
},
"component" : {
"title" : "Component",
"description" : "The component responsible for the event, used by all topics",
"type" : "string"
},
"realm" : {
"title" : "Realm",
"description" : "The realm in which the event occurred, used by all topics",
"type" : "string"
},
"server" : {
"title" : "Server",
"description" : "The server details for an access event",
"type" : "object",
"properties" : {
"ip" : {
"title" : "Server IP address",
"description" : "The server ip address for an access event",
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "The server port for an access event",
"type" : "integer"
}
}
},
"client" : {
"title" : "Client",
"description" : "The client details for an access event",
"type" : "object",
"properties" : {
"ip" : {
"title" : "Client IP address",
"description" : "The client IP address for an access event",
"type" : "string"
},
"port" : {
"title" : "Client port",
"description" : "The client port for an access event",
"type" : "integer"
}
}
},
"request" : {
"title" : "Request",
"description" : "The request details for an access event",
"type" : "object",
"properties" : {
"protocol" : {
"title" : "Request protocol",
"description" : "The request protocol for an access event",
"type" : "string"
},
"operation" : {
"title" : "Request operation",
"description" : "The request operation for an access event",
"type" : "string"
},
"detail" : {
"title" : "Request detail",
"description" : "The request detail for an access event",
"type" : "object"
}
}
},
"http" : {
"title" : "Http details",
"description" : "The Http details for an access event",
"type" : "object",
"properties" : {
"request" : {
"title" : "Http request",
"description" : "The http request for an access event",
"type" : "object",
"properties" : {
"secure" : {
"title" : "Http secure",
"description" : "The http secure property for an access event",
"type" : "boolean"
},
"method" : {
"title" : "Http method",
"description" : "The http method for an access event",
"type" : "string"
},
"path" : {
"title" : "Http path",
"description" : "The http path for an access event",
"type" : "string"
},
"queryParameters" : {
"title" : "Http query parameters",
"description" : "The http query parameters for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"headers" : {
"title" : "Http headers",
"description" : "The http headers for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"cookies" : {
"title" : "Http cookies",
"description" : "The http cookies for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "string"
}
}
}
},
"response" : {
"title" : "Http response",
"description" : "The http response for an access event",
"type" : "object",
"properties" : {
"headers" : {
"title" : "Http request headers",
"description" : "The http request headers for an access event",
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
}
}
},
"response" : {
"title" : "Response",
"description" : "The response details for an access event",
"type" : "object",
"properties" : {
"status" : {
"title" : "Response status",
"description" : "The response status for an access event",
"type" : "string"
},
"statusCode" : {
"title" : "Response status code",
"description" : "The response status code for an access event",
"type" : "string"
},
"detail" : {
"title" : "Response detail",
"description" : "The response detail for an access event",
"type" : "object"
},
"elapsedTime" : {
"title" : "Response elapsed time",
"description" : "The response elapsedTime for an access event",
"type" : "integer"
},
"elapsedTimeUnits" : {
"title" : "Response elapsed time units",
"description" : "The response elapsed time units for an access event",
"type" : "string"
}
}
},
"runAs" : {
"title" : "Run as",
"description" : "What the change that triggered an activity or config event was run as",
"type" : "string"
},
"objectId" : {
"title" : "Object ID",
"description" : "The object ID of the change that triggered an activity or config event",
"type" : "string"
},
"operation" : {
"title" : "Operation",
"description" : "The operation that triggered an activity or config event",
"type" : "string"
},
"before" : {
"title" : "Before state",
"description" : "The state before an activity or config event occurred",
"type" : "object"
},
"after" : {
"title" : "After state",
"description" : "The state after an activity or config event occurred",
"type" : "object"
},
"changedFields" : {
"title" : "Changed fields",
"description" : "The changed fields after an activity or config event occurred",
"type" : "array",
"items" : {
"id" : "1",
"type" : "string"
}
},
"revision" : {
"title" : "Revision",
"description" : "The revision for an activity or config event",
"type" : "string"
},
"result" : {
"title" : "Result",
"description" : "The result of the authentication event",
"type" : "string"
},
"principal" : {
"title" : "Principal",
"description" : "The principal responsible for the authentication event",
"type" : "array",
"items" : {
"type" : "string"
}
},
"context" : {
"title" : "Context",
"description" : "The context of an authentication event",
"type" : "object"
},
"entries" : {
"title" : "Entries",
"description" : "The entries for an authentication event",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"moduleId" : {
"title" : "Module ID",
"description" : "The module ID for the authentication event",
"type" : "string"
},
"result" : {
"title" : "Module result",
"description" : "The result of the module authentication event",
"type" : "string"
},
"info" : {
"title" : "Entries information",
"description" : "The entries information for an authentication event",
"type" : "object"
}
}
}
}
},
"required" : [ "transactionId", "timestamp" ]
}
/realm-config/agents
1.0
Aggregating Agents handler that is responsible for querying the aggregating agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the aggregating agents
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Sms Aggregating Agent Groups Query schema",
"type" : "object",
"title" : "Sms Aggregating Agent Groups Query schema"
}
/realm-config/agents/2.2_Agent
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Key Value(s)",
"description" : "Set the agent properties with a key/value pair. This property is used by AM to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format: <br> agentRootURL=protocol://hostname:port/ <br> The entry must be precise and agentRootURL is case sensitive.",
"propertyOrder" : 22500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"description" : {
"title" : "Description",
"propertyOrder" : 22400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
/realm-config/agents/2.2_Agent/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Key Value(s)",
"description" : "Set the agent properties with a key/value pair. This property is used by AM to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format: <br> agentRootURL=protocol://hostname:port/ <br> The entry must be precise and agentRootURL is case sensitive.",
"propertyOrder" : 22500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"description" : {
"title" : "Description",
"propertyOrder" : 22400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Key Value(s)",
"description" : "Set the agent properties with a key/value pair. This property is used by AM to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format: <br> agentRootURL=protocol://hostname:port/ <br> The entry must be precise and agentRootURL is case sensitive.",
"propertyOrder" : 22500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"description" : {
"title" : "Description",
"propertyOrder" : 22400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Key Value(s)",
"description" : "Set the agent properties with a key/value pair. This property is used by AM to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format: <br> agentRootURL=protocol://hostname:port/ <br> The entry must be precise and agentRootURL is case sensitive.",
"propertyOrder" : 22500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"description" : {
"title" : "Description",
"propertyOrder" : 22400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Key Value(s)",
"description" : "Set the agent properties with a key/value pair. This property is used by AM to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format: <br> agentRootURL=protocol://hostname:port/ <br> The entry must be precise and agentRootURL is case sensitive.",
"propertyOrder" : 22500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"description" : {
"title" : "Description",
"propertyOrder" : 22400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
/realm-config/agents/J2EEAgent
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
}
}
}
/realm-config/agents/J2EEAgent/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
}
}
}
/realm-config/agents/OAuth2Client
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userpassword" : {
"title" : "Client secret",
"description" : "Client secret. Used when the client authenticates to AM.",
"propertyOrder" : 23000,
"required" : true,
"type" : "string",
"format" : "password"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
}
}
}
/realm-config/agents/OAuth2Client/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userpassword" : {
"title" : "Client secret",
"description" : "Client secret. Used when the client authenticates to AM.",
"propertyOrder" : 23000,
"required" : true,
"type" : "string",
"format" : "password"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userpassword" : {
"title" : "Client secret",
"description" : "Client secret. Used when the client authenticates to AM.",
"propertyOrder" : 23000,
"required" : true,
"type" : "string",
"format" : "password"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userpassword" : {
"title" : "Client secret",
"description" : "Client secret. Used when the client authenticates to AM.",
"propertyOrder" : 23000,
"required" : true,
"type" : "string",
"format" : "password"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the client to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the client.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"userpassword" : {
"title" : "Client secret",
"description" : "Client secret. Used when the client authenticates to AM.",
"propertyOrder" : 23000,
"required" : true,
"type" : "string",
"format" : "password"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
}
}
}
/realm-config/agents/RemoteConsentAgent
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Remote Consent Service secret",
"description" : "Used when the Remote Consent Service authenticates to AM.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
/realm-config/agents/RemoteConsentAgent/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Remote Consent Service secret",
"description" : "Used when the Remote Consent Service authenticates to AM.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Remote Consent Service secret",
"description" : "Used when the Remote Consent Service authenticates to AM.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Remote Consent Service secret",
"description" : "Used when the Remote Consent Service authenticates to AM.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : true
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Remote Consent Service secret",
"description" : "Used when the Remote Consent Service authenticates to AM.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
}
}
}
/realm-config/agents/SharedAgent
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"agentProfilesAllowedToRead" : {
"title" : "Agent Profiles allowed to Read.",
"propertyOrder" : 22600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
}
/realm-config/agents/SharedAgent/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"agentProfilesAllowedToRead" : {
"title" : "Agent Profiles allowed to Read.",
"propertyOrder" : 22600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"agentProfilesAllowedToRead" : {
"title" : "Agent Profiles allowed to Read.",
"propertyOrder" : 22600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"agentProfilesAllowedToRead" : {
"title" : "Agent Profiles allowed to Read.",
"propertyOrder" : 22600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"agentProfilesAllowedToRead" : {
"title" : "Agent Profiles allowed to Read.",
"propertyOrder" : 22600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : true
}
}
}
}
}
/realm-config/agents/SoapSTSAgent
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
/realm-config/agents/SoapSTSAgent/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userpassword" : {
"title" : "Password",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"format" : "password"
},
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : true
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
/realm-config/agents/SoftwarePublisher
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Software publisher secret",
"description" : "Software publisher secret. Used when software statement signatures are HMAC based.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
/realm-config/agents/SoftwarePublisher/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Software publisher secret",
"description" : "Software publisher secret. Used when software statement signatures are HMAC based.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Software publisher secret",
"description" : "Software publisher secret. Used when software statement signatures are HMAC based.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Software publisher secret",
"description" : "Software publisher secret. Used when software statement signatures are HMAC based.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Software publisher secret",
"description" : "Software publisher secret. Used when software statement signatures are HMAC based.",
"propertyOrder" : 33000,
"required" : true,
"type" : "string",
"format" : "password"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 50,
"required" : false,
"type" : "string"
}
}
}
/realm-config/agents/WebAgent
1.0
Agents handler that is responsible for managing agents
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agents of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 25000,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 25200,
"required" : true,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
}
}
}
}
}
/realm-config/agents/WebAgent/{id}
1.0
Agents handler that is responsible for managing agents
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 25000,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 25200,
"required" : true,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 25000,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 25200,
"required" : true,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 25000,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 25200,
"required" : true,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userpassword" : {
"title" : "Password",
"propertyOrder" : 25000,
"required" : true,
"type" : "string",
"format" : "password"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : true
}
}
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"repositoryLocation" : {
"title" : "Location of Agent Configuration Repository",
"description" : "Indicates agent's configuration located either on agent's host or centrally on AM server.",
"propertyOrder" : 25200,
"required" : true,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentgroup" : {
"title" : "Group",
"description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "integer",
"required" : false
}
}
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "string",
"required" : false
}
}
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"items" : {
"type" : "string"
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "array",
"required" : false
}
}
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "boolean",
"required" : false
}
}
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object",
"properties" : {
"inherited" : {
"type" : "boolean",
"required" : true
},
"value" : {
"type" : "object",
"required" : false
}
}
}
}
}
}
}
/realm-config/agents/groups
1.0
Aggregating Agent Groups handler that is responsible for querying the aggregating agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the aggregating agent groups
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Sms Aggregating Agents Query schema",
"type" : "object",
"title" : "Sms Aggregating Agents Query schema"
}
/realm-config/agents/groups/J2EEAgent
1.0
Agent Groups handler that is responsible for managing agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agent groups of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"required" : false,
"type" : "string"
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"required" : false,
"type" : "boolean"
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"required" : false,
"type" : "integer"
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"required" : false,
"type" : "boolean"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"required" : false,
"type" : "integer"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"required" : false,
"type" : "integer"
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"required" : false,
"type" : "integer"
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"required" : false,
"type" : "string"
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"required" : false,
"type" : "integer"
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"required" : false,
"type" : "string"
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"required" : false,
"type" : "integer"
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"required" : false,
"type" : "boolean"
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"required" : false,
"type" : "integer"
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"required" : false,
"type" : "integer"
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"required" : false,
"type" : "boolean"
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"required" : false,
"type" : "boolean"
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"required" : false,
"type" : "boolean"
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"required" : false,
"type" : "string"
},
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"required" : false,
"type" : "string"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"required" : false,
"type" : "boolean"
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"required" : false,
"type" : "boolean"
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"required" : false,
"type" : "integer"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"required" : false,
"type" : "boolean"
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"required" : false,
"type" : "boolean"
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"required" : false,
"type" : "boolean"
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"required" : false,
"type" : "boolean"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"required" : false,
"type" : "integer"
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"required" : false,
"type" : "string"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"required" : false,
"type" : "boolean"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"required" : false,
"type" : "boolean"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"required" : false,
"type" : "integer"
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"required" : false,
"type" : "boolean"
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"required" : false,
"type" : "boolean"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"required" : false,
"type" : "string"
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"required" : false,
"type" : "string"
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"required" : false,
"type" : "string"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"required" : false,
"type" : "integer"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"required" : false,
"type" : "integer"
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"required" : false,
"type" : "boolean"
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"required" : false,
"type" : "integer"
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"required" : false,
"type" : "boolean"
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"required" : false,
"type" : "string"
},
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"required" : false,
"type" : "string"
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"required" : false,
"type" : "string"
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"required" : false,
"type" : "integer"
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"required" : false,
"type" : "string"
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"required" : false,
"type" : "integer"
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"required" : false,
"type" : "boolean"
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"required" : false,
"type" : "string"
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"required" : false,
"type" : "string"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"required" : false,
"type" : "string"
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"required" : false,
"type" : "boolean"
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"required" : false,
"type" : "integer"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"required" : false,
"type" : "string"
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"required" : false,
"type" : "boolean"
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"required" : false,
"type" : "boolean"
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"required" : false,
"type" : "string"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"required" : false,
"type" : "boolean"
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"required" : false,
"type" : "boolean"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"required" : false,
"type" : "integer"
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"required" : false,
"type" : "boolean"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"required" : false,
"type" : "boolean"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"required" : false,
"type" : "string"
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"required" : false,
"type" : "boolean"
},
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"required" : false,
"type" : "boolean"
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"required" : false,
"type" : "boolean"
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"required" : false,
"type" : "string"
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"required" : false,
"type" : "string"
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/agents/groups/J2EEAgent/{id}
1.0
Agent Groups handler that is responsible for managing agent groups
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"required" : false,
"type" : "string"
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"required" : false,
"type" : "boolean"
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"required" : false,
"type" : "integer"
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"required" : false,
"type" : "boolean"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"required" : false,
"type" : "integer"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"required" : false,
"type" : "integer"
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"required" : false,
"type" : "integer"
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"required" : false,
"type" : "string"
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"required" : false,
"type" : "integer"
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"required" : false,
"type" : "string"
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"required" : false,
"type" : "integer"
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"required" : false,
"type" : "boolean"
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"required" : false,
"type" : "integer"
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"required" : false,
"type" : "integer"
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"required" : false,
"type" : "boolean"
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"required" : false,
"type" : "boolean"
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"required" : false,
"type" : "boolean"
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"required" : false,
"type" : "string"
},
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"required" : false,
"type" : "string"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"required" : false,
"type" : "boolean"
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"required" : false,
"type" : "boolean"
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"required" : false,
"type" : "integer"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"required" : false,
"type" : "boolean"
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"required" : false,
"type" : "boolean"
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"required" : false,
"type" : "boolean"
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"required" : false,
"type" : "boolean"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"required" : false,
"type" : "integer"
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"required" : false,
"type" : "string"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"required" : false,
"type" : "boolean"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"required" : false,
"type" : "boolean"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"required" : false,
"type" : "integer"
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"required" : false,
"type" : "boolean"
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"required" : false,
"type" : "boolean"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"required" : false,
"type" : "string"
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"required" : false,
"type" : "string"
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"required" : false,
"type" : "string"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"required" : false,
"type" : "integer"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"required" : false,
"type" : "integer"
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"required" : false,
"type" : "boolean"
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"required" : false,
"type" : "integer"
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"required" : false,
"type" : "boolean"
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"required" : false,
"type" : "string"
},
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"required" : false,
"type" : "string"
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"required" : false,
"type" : "string"
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"required" : false,
"type" : "integer"
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"required" : false,
"type" : "string"
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"required" : false,
"type" : "integer"
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"required" : false,
"type" : "boolean"
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"required" : false,
"type" : "string"
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"required" : false,
"type" : "string"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"required" : false,
"type" : "string"
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"required" : false,
"type" : "boolean"
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"required" : false,
"type" : "integer"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"required" : false,
"type" : "string"
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"required" : false,
"type" : "boolean"
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"required" : false,
"type" : "boolean"
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"required" : false,
"type" : "string"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"required" : false,
"type" : "boolean"
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"required" : false,
"type" : "boolean"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"required" : false,
"type" : "integer"
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"required" : false,
"type" : "boolean"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"required" : false,
"type" : "boolean"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"required" : false,
"type" : "string"
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"required" : false,
"type" : "boolean"
},
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"required" : false,
"type" : "boolean"
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"required" : false,
"type" : "boolean"
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"required" : false,
"type" : "string"
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"required" : false,
"type" : "string"
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"required" : false,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"required" : false,
"type" : "string"
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"required" : false,
"type" : "boolean"
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"required" : false,
"type" : "integer"
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"required" : false,
"type" : "boolean"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"required" : false,
"type" : "integer"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"required" : false,
"type" : "integer"
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"required" : false,
"type" : "integer"
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"required" : false,
"type" : "string"
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"required" : false,
"type" : "integer"
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"required" : false,
"type" : "string"
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"required" : false,
"type" : "integer"
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"required" : false,
"type" : "boolean"
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"required" : false,
"type" : "integer"
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"required" : false,
"type" : "integer"
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"required" : false,
"type" : "boolean"
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"required" : false,
"type" : "boolean"
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"required" : false,
"type" : "boolean"
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"required" : false,
"type" : "string"
},
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"required" : false,
"type" : "string"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"required" : false,
"type" : "boolean"
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"required" : false,
"type" : "boolean"
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"required" : false,
"type" : "integer"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"required" : false,
"type" : "boolean"
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"required" : false,
"type" : "boolean"
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"required" : false,
"type" : "boolean"
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"required" : false,
"type" : "boolean"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"required" : false,
"type" : "integer"
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"required" : false,
"type" : "string"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"required" : false,
"type" : "boolean"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"required" : false,
"type" : "boolean"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"required" : false,
"type" : "integer"
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"required" : false,
"type" : "boolean"
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"required" : false,
"type" : "boolean"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"required" : false,
"type" : "string"
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"required" : false,
"type" : "string"
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"required" : false,
"type" : "string"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"required" : false,
"type" : "integer"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"required" : false,
"type" : "integer"
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"required" : false,
"type" : "boolean"
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"required" : false,
"type" : "integer"
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"required" : false,
"type" : "boolean"
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"required" : false,
"type" : "string"
},
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"required" : false,
"type" : "string"
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"required" : false,
"type" : "string"
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"required" : false,
"type" : "integer"
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"required" : false,
"type" : "string"
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"required" : false,
"type" : "integer"
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"required" : false,
"type" : "boolean"
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"required" : false,
"type" : "string"
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"required" : false,
"type" : "string"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"required" : false,
"type" : "string"
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"required" : false,
"type" : "boolean"
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"required" : false,
"type" : "integer"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"required" : false,
"type" : "string"
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"required" : false,
"type" : "boolean"
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"required" : false,
"type" : "boolean"
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"required" : false,
"type" : "string"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"required" : false,
"type" : "boolean"
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"required" : false,
"type" : "boolean"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"required" : false,
"type" : "integer"
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"required" : false,
"type" : "boolean"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"required" : false,
"type" : "boolean"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"required" : false,
"type" : "string"
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"required" : false,
"type" : "boolean"
},
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"required" : false,
"type" : "boolean"
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"required" : false,
"type" : "boolean"
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"required" : false,
"type" : "string"
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"required" : false,
"type" : "string"
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"required" : false,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"required" : false,
"type" : "string"
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"required" : false,
"type" : "boolean"
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"required" : false,
"type" : "integer"
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"required" : false,
"type" : "boolean"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"required" : false,
"type" : "integer"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"required" : false,
"type" : "integer"
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"required" : false,
"type" : "integer"
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"required" : false,
"type" : "string"
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"required" : false,
"type" : "integer"
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"required" : false,
"type" : "string"
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"required" : false,
"type" : "integer"
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"required" : false,
"type" : "boolean"
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"required" : false,
"type" : "integer"
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"required" : false,
"type" : "integer"
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"required" : false,
"type" : "boolean"
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"required" : false,
"type" : "boolean"
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"required" : false,
"type" : "boolean"
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"required" : false,
"type" : "string"
},
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"required" : false,
"type" : "string"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"required" : false,
"type" : "boolean"
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"required" : false,
"type" : "boolean"
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"required" : false,
"type" : "integer"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"required" : false,
"type" : "boolean"
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"required" : false,
"type" : "boolean"
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"required" : false,
"type" : "boolean"
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"required" : false,
"type" : "boolean"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"required" : false,
"type" : "integer"
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"required" : false,
"type" : "string"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"required" : false,
"type" : "boolean"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"required" : false,
"type" : "boolean"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"required" : false,
"type" : "integer"
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"required" : false,
"type" : "boolean"
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"required" : false,
"type" : "boolean"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"required" : false,
"type" : "string"
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"required" : false,
"type" : "string"
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"required" : false,
"type" : "string"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"required" : false,
"type" : "integer"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"required" : false,
"type" : "integer"
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"required" : false,
"type" : "boolean"
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"required" : false,
"type" : "integer"
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"required" : false,
"type" : "boolean"
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"required" : false,
"type" : "string"
},
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"required" : false,
"type" : "string"
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"required" : false,
"type" : "string"
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"required" : false,
"type" : "integer"
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"required" : false,
"type" : "string"
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"required" : false,
"type" : "integer"
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"required" : false,
"type" : "boolean"
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"required" : false,
"type" : "string"
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"required" : false,
"type" : "string"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"required" : false,
"type" : "string"
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"required" : false,
"type" : "boolean"
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"required" : false,
"type" : "integer"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"required" : false,
"type" : "string"
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"required" : false,
"type" : "boolean"
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"required" : false,
"type" : "boolean"
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"required" : false,
"type" : "string"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"required" : false,
"type" : "boolean"
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"required" : false,
"type" : "boolean"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"required" : false,
"type" : "integer"
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"required" : false,
"type" : "boolean"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"required" : false,
"type" : "boolean"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"required" : false,
"type" : "string"
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"required" : false,
"type" : "boolean"
},
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"required" : false,
"type" : "boolean"
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"required" : false,
"type" : "boolean"
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"required" : false,
"type" : "string"
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"required" : false,
"type" : "string"
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"required" : false,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"amServicesJ2EEAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"policyActionBooleanValues" : {
"title" : "Policy Client Boolean Action Values",
"description" : "Boolean action values for policy action names. (property name: com.sun.identity.policy.client.booleanActionValues) <br>Hot-swap: No",
"propertyOrder" : 11500,
"required" : false,
"type" : "string"
},
"conditionalLogoutUrl" : {
"title" : "AM Conditional Logout URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.logout.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 12550,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyNotifications" : {
"title" : "Enable Policy Notifications",
"description" : "Enable Notifications for remote policy client. (property name: com.sun.identity.agents.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 11200,
"required" : false,
"type" : "boolean"
},
"userDataCachePollingTime" : {
"title" : "User Data Cache Polling Time",
"description" : "Cache update time in minutes for user management data. If set to '0' no updates happen. (property name: com.iplanet.am.sdk.remote.pollingTime) <br>Hot-swap: No",
"propertyOrder" : 10600,
"required" : false,
"type" : "integer"
},
"enableClientPolling" : {
"title" : "Enable Client Polling",
"description" : "Specifies if the session client must use polling for updating session information and not depend upon server notifications. (property name: com.iplanet.am.session.client.polling.enable) <br>Hot-swap: No",
"propertyOrder" : 10200,
"required" : false,
"type" : "boolean"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 3700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serviceDataCacheTime" : {
"title" : "Service Data Cache Time",
"description" : "Cache update time in minutes for service configuration data. If set to '0' no updates happen. (property name: com.sun.identity.sm.cacheTime) <br>Hot-swap: No",
"propertyOrder" : 10800,
"required" : false,
"type" : "integer"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"policyClientPollingInterval" : {
"title" : "Policy Client Polling Interval",
"description" : "Duration in minutes after which the cached entries are refreshed by remote policy client. (property name: com.sun.identity.agents.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 11300,
"required" : false,
"type" : "integer"
},
"authServicePort" : {
"title" : "AM Authentication Service Port",
"description" : "Port to be used by the AM authentication service. (property name: com.iplanet.am.server.port) <br>Hot-swap: No",
"propertyOrder" : 11100,
"required" : false,
"type" : "integer"
},
"urlPolicyEnvJsessionParameters" : {
"title" : "URL Policy Env jsession Parameters",
"description" : "List of HTTP SESSION attributes whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.jsession.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 12000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authServiceHost" : {
"title" : "AM Authentication Service Host Name",
"description" : "Host name to be used by the AM authentication service. (property name: com.iplanet.am.server.host) <br>Hot-swap: No",
"propertyOrder" : 11000,
"required" : false,
"type" : "string"
},
"clientPollingPeriod" : {
"title" : "Client Polling Period",
"description" : "(Not used in Agent 5 onwards) <br>Time in seconds after which the session client will request update of cached session information from the server. (property name: com.iplanet.am.session.client.polling.period) <br>Hot-swap: No",
"propertyOrder" : 10300,
"required" : false,
"type" : "integer"
},
"policyClientResourceComparators" : {
"title" : "Policy Client Resource Comparators",
"description" : "Resource Comparators to be used for different service names. (property name: com.sun.identity.policy.client.resourceComparators) <br>Hot-swap: No",
"propertyOrder" : 11600,
"required" : false,
"type" : "string"
},
"urlPolicyEnvGetParameters" : {
"title" : "URL Policy Env GET Parameters",
"description" : "List of HTTP GET request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.get.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientClockSkew" : {
"title" : "Policy Client Clock Skew",
"description" : "Time in seconds which is allowed to accommodate the time difference between the AM server machine and the remote policy client machine. (property name: com.sun.identity.policy.client.clockSkew) <br>Hot-swap: No",
"propertyOrder" : 11700,
"required" : false,
"type" : "integer"
},
"userDataCacheNotifications" : {
"title" : "Enable Notification of User Data Caches",
"description" : "Enable notifications for amsdk and IdRepo Caches. (property name: com.sun.identity.idm.remote.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10500,
"required" : false,
"type" : "boolean"
},
"loginProbeTimeout" : {
"title" : "Login URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Login URL Probe is set to true. (property name: com.sun.identity.agents.config.login.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 4000,
"required" : false,
"type" : "integer"
},
"logoutProbeTimeout" : {
"title" : "Logout URL Probe Timeout",
"description" : "The connect timeout value in milliseconds, if also Logout URL Probe is set to true. (property name: com.sun.identity.agents.config.logout.url.probe.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 12700,
"required" : false,
"type" : "integer"
},
"serviceDataCacheNotifications" : {
"title" : "Enable Notification of Service Data Caches",
"description" : "Enable the notifications for service management caches. (property name: com.sun.identity.sm.notification.enabled) <br>Hot-swap: No",
"propertyOrder" : 10700,
"required" : false,
"type" : "boolean"
},
"probeLoginUrl" : {
"title" : "Login URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.login.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"probeLogoutUrl" : {
"title" : "Logout URL Probe",
"description" : "Specifies if agent will check the availability of these urls before redirecting to them. (property name: com.sun.identity.agents.config.logout.url.probe.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 12600,
"required" : false,
"type" : "boolean"
},
"useRedirectForCompositeAdvice" : {
"title" : "Use HTTP-Redirect for composite advice",
"description" : "Configure remote policy client to use HTTP-redirect instead of HTTP-POST for composite advices. (property name: com.sun.identity.agents.config.policy.advice.use.redirect) <br>Hot-swap: Yes",
"propertyOrder" : 13000,
"required" : false,
"type" : "boolean"
},
"conditionalLoginUrl" : {
"title" : "AM Conditional Login URL",
"description" : "(Only used in Agent 5 onwards) (property name: org.forgerock.openam.agents.config.conditional.login.url) <br>Hot-swap: Yes <br> Examples: <br> match|url?param1=value1¶m2=value2 <br> match/path|?param1=value1¶m2=value2¶m3=value3",
"propertyOrder" : 4010,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClientCacheMode" : {
"title" : "Policy Client Cache Mode",
"description" : "Mode of caching to be used by remote policy client. (property name: com.sun.identity.policy.client.cacheMode) <br>Hot-swap: No",
"propertyOrder" : 11400,
"required" : false,
"type" : "string"
},
"authServiceProtocol" : {
"title" : "AM Authentication Service Protocol",
"description" : "Protocol to be used by the AM authentication service. (property name: com.iplanet.am.server.protocol) <br>Hot-swap: No",
"propertyOrder" : 10900,
"required" : false,
"type" : "string"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"urlPolicyEnvPostParameters" : {
"title" : "URL Policy Env POST Parameters",
"description" : "List of HTTP POST request parameters whose names and values will be set in the environment map for URL policy evaluation at AM server. (property name: com.sun.identity.agents.config.policy.env.post.param) <br>Hot-swap: Yes <br> Examples: <br> name <br> phonenumber",
"propertyOrder" : 11900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 12400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginUrlPrioritized" : {
"title" : "Login URL Prioritized",
"description" : "Specifies if failover sequence for Login URLs or CDSSO URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.login.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"logoutUrlPrioritized" : {
"title" : "Logout URL Prioritized",
"description" : "Specifies if failover sequence for Logout URLs should be prioritized as defined in the AM Login URL list. (property name: com.sun.identity.agents.config.logout.url.prioritized) <br>Hot-swap: Yes",
"propertyOrder" : 12500,
"required" : false,
"type" : "boolean"
}
}
},
"ssoJ2EEAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cdssoTrustedIdProvider" : {
"title" : "CDSSO Trusted ID Provider",
"description" : "List of AM Server/ID providers that should be trusted by the agent, when evaluating the CDC Liberty Responses. (property name: com.sun.identity.agents.config.cdsso.trusted.id.provider) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetDomains" : {
"title" : "Cookies Reset Domain Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the domain of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.domain) <br>Hot-swap: Yes",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross Domain Single SignOn. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5000,
"required" : false,
"type" : "boolean"
},
"cookieResetNames" : {
"title" : "Cookies Reset Name List",
"description" : "Cookie names that will be reset by the Agent if Cookie Reset is enabled. (property name: com.sun.identity.agents.config.cdsso.cookie.reset.name) <br>Hot-swap: Yes",
"propertyOrder" : 4700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetPaths" : {
"title" : "Cookies Reset Path Map",
"description" : "Maps cookie names specified in Cookie Reset Name List to value being the path of this cookie to be used when a reset event occurs. (property name: com.sun.identity.agents.config.cookie.reset.path) <br>Hot-swap: Yes",
"propertyOrder" : 4900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cdssoClockSkew" : {
"title" : "CDSSO Clock Skew",
"description" : "Time in seconds to be used by the Agent to determine the validity of the CDSSO AuthnResponse assertion. (property name: com.sun.identity.agents.config.cdsso.clock.skew) <br>Hot-swap: Yes",
"propertyOrder" : 5300,
"required" : false,
"type" : "integer"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 5200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"ssoCacheEnabled" : {
"title" : "SSO Cache Enable",
"description" : "Specifies if the SSO Cache is active for the agent. Cache is used through public APIs exposed by the agent SDK. (property name: com.sun.identity.agents.config.amsso.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4500,
"required" : false,
"type" : "boolean"
},
"cdssoDomainList" : {
"title" : "CDSSO Domain List",
"description" : "Domains for which cookies have to be set in a CDSSO scenario. (property name: com.sun.identity.agents.config.cdsso.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 5800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 4600,
"required" : false,
"type" : "boolean"
},
"cdssoSecureCookies" : {
"title" : "CDSSO Secure Enable",
"description" : "The SSO Token cookie set by the agent in the different domains in CDSSO mode will be marked secure. Only transmitted if the communications channel with host is a secure one. (property name: com.sun.identity.agents.config.cdsso.secure.enable) <br>Hot-swap: Yes",
"propertyOrder" : 5700,
"required" : false,
"type" : "boolean"
},
"amCookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.iplanet.am.cookie.name) <br>Hot-swap: No",
"propertyOrder" : 10100,
"required" : false,
"type" : "string"
}
}
},
"globalJ2EEAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 1800,
"required" : false,
"type" : "boolean"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 12105,
"required" : false,
"type" : "integer"
},
"userMappingMode" : {
"title" : "User Mapping Mode",
"description" : "Specifies mechanism agent uses to determine user-ID. (property name: com.sun.identity.agents.config.user.mapping.mode) <br>Hot-swap: Yes",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"configurationReloadInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in seconds between configuration reloads. (property name: com.sun.identity.agents.config.load.interval) <br>Hot-swap: Yes",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 1500,
"required" : false,
"type" : "string"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 22700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 12100,
"required" : false,
"type" : "boolean"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6400,
"required" : false,
"type" : "boolean"
},
"redirectAttemptLimit" : {
"title" : "Redirect Attempt Limit",
"description" : "Number of successive single point redirects that a user can make using a single browser session which will trigger the blocking of the user request. Set to 0 to disable this feature. (property name: com.sun.identity.agents.config.redirect.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 7100,
"required" : false,
"type" : "integer"
},
"userPrincipalFlag" : {
"title" : "User Principal Flag",
"description" : "Use principal instead of just the user-ID for authenticating the user. (property name: com.sun.identity.agents.config.user.principal) <br>Hot-swap: Yes",
"propertyOrder" : 800,
"required" : false,
"type" : "boolean"
},
"filterMode" : {
"title" : "Agent Filter Mode",
"description" : "Specifies the mode of operation of the Filter. (property name: com.sun.identity.agents.config.filter.mode) <br>Valid key: the web application name. <br>Valid values: ALL, J2EE_POLICY (Not used in Agent 5 onwards), URL_POLICY, SSO_ONLY, NONE <br>For this property, a global value can be set to apply to all the applications that don't have their own specific filter mode. <br>Hot-swap: No <br>Examples: <br>To set ALL as the global filter mode: leave Map Key field empty, and enter ALL in Corresponding Map Value field. <br>To set URL_POLICY as the filter mode for application BankApp: enter BankApp in Map Key field, and enter URL_POLICY in Corresponding Map Value field.",
"propertyOrder" : 500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"httpSessionBinding" : {
"title" : "HTTP Session Binding",
"description" : "If true will invalidate the http session when login has failed, user has no SSO session, or principal user name does not match SSO user name. (property name: com.sun.identity.agents.config.httpsession.binding) <br>Hot-swap: Yes",
"propertyOrder" : 3500,
"required" : false,
"type" : "boolean"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 6600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 11201,
"required" : false,
"type" : "string"
},
"remoteLogFilename" : {
"title" : "Remote Log File Name",
"description" : "Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: Yes",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 300,
"required" : false,
"type" : "string"
},
"debugLevel" : {
"title" : "Agent Debug Level",
"description" : "Specifies type of agent debug messages to log. (property name: com.iplanet.services.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 10000,
"required" : false,
"type" : "string"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 6500,
"required" : false,
"type" : "string"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 1900,
"required" : false,
"type" : "integer"
},
"loginAttemptLimit" : {
"title" : "Login Attempt Limit",
"description" : "Limit of failed login attempts for a user's single browser session until triggering the blocking of the user request. Value of 0 disables this feature. (property name: com.sun.identity.agents.config.login.attempt.limit) <br>Hot-swap: Yes",
"propertyOrder" : 4400,
"required" : false,
"type" : "integer"
},
"customResponseHeader" : {
"title" : "Custom Response Header",
"description" : "Map specifies the custom headers that are set by the Agent on the client browser. The key is the header name and the value represents the header value. (property name: com.sun.identity.agents.config.response.header) <br>Hot-swap: Yes <br> Example: <br> To set the custom header Cache-Control to value no-cache: enter Cache-Control in Map Key field, and enter no-cache in Corresponding Map Value field.",
"propertyOrder" : 7000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"userAttributeName" : {
"title" : "User Attribute Name",
"description" : "Name of the attribute which contains the user-ID. (property name: com.sun.identity.agents.config.user.attribute.name) <br>Hot-swap: Yes",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"userTokenName" : {
"title" : "User Token Name",
"description" : "Session property name for user-ID of the authenticated user in session. (property name: com.sun.identity.agents.config.user.token) <br>Hot-swap: Yes",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"advancedJ2EEAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"webServiceInternalErrorContentFile" : {
"title" : "Web Service Internal Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an internal error fault for clients. (property name: com.sun.identity.agents.config.webservice.internalerror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"possibleXssCodeElements" : {
"title" : "Possible XSS code elements",
"description" : "If one of these strings occurs in the request, the client is redirected to an error page. (property name: com.sun.identity.agents.config.xss.code.elements) <br>Hot-swap: Yes",
"propertyOrder" : 12800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthorizationErrorContentFile" : {
"title" : "Web Service Authorization Error Content File",
"description" : "The name of file that contains content used by the Agent to generate an authorization error fault for clients. (property name: com.sun.identity.agents.config.webservice.autherror.content) <br>Hot-swap: Yes",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"missingPostDataPreservationEntryUri" : {
"title" : "Missing PDP entry URI",
"description" : "An application-specific URI Map that is used in case the referenced PDP entry cannot be found in the local cache (due to ttl). In such cases it will redirect to the specified URI, otherwise it will show a HTTP 403 Forbidden error. (property name: com.sun.identity.agents.config.postdata.preservce.cache.noentry.url)<br>Examples: <br>To set a redirect target for application BankApp: enter Bankapp in Map Key field and enter a redirect URI in corresponding Map Value field.",
"propertyOrder" : 13200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceEnabled" : {
"title" : "Web Service Enable",
"description" : "Flag specifies if Web Service processing is enabled. (property name: com.sun.identity.agents.config.webservice.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2000,
"required" : false,
"type" : "boolean"
},
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 12200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"alternativeAgentHostname" : {
"title" : "Alternative Agent Host Name",
"description" : "Host name identifying the Agent protected server to the client browsers if different from the actual host name. (property name: com.sun.identity.agents.config.agent.host) <br>Hot-swap: Yes",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxEntries" : {
"title" : "PDP Maximum Number of Cache Entries",
"description" : "Maximum number of entries to hold in the PDP cache (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.entries) (Agent 5 only).",
"propertyOrder" : 13550,
"required" : false,
"type" : "integer"
},
"webServiceProcessGetEnabled" : {
"title" : "Web Service Process GET Enable",
"description" : "Flag to indicates if the processing of HTTP GET requests for Web Service endpoints is enabled. (property name: com.sun.identity.agents.config.webservice.process.get.enable) <br>Hot-swap: Yes",
"propertyOrder" : 2200,
"required" : false,
"type" : "boolean"
},
"alternativeAgentPort" : {
"title" : "Alternative Agent Port Name",
"description" : "Port number identifying the Agent protected server listening port to the client browsers if different from the actual listening port. (property name: com.sun.identity.agents.config.agent.port) <br>Hot-swap: Yes",
"propertyOrder" : 4200,
"required" : false,
"type" : "string"
},
"webServiceResponseProcessor" : {
"title" : "Web Service Response Processor",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceResponseProcessor that can be used to process the web-service responses. (property name: com.sun.identity.agents.config.webservice.responseprocessor) <br>Hot-swap: Yes",
"propertyOrder" : 2400,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 1100,
"required" : false,
"type" : "string"
},
"postDataStickySessionMode" : {
"title" : "PDP Stickysession mode",
"description" : "The PDP mechanism needs sticky loadbalancing, the URL mode will append a querystring, while the Cookie mode will create a cookie. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)",
"propertyOrder" : 13400,
"required" : false,
"type" : "string"
},
"postDataCacheTtl" : {
"title" : "PDP entry TTL",
"description" : "This value tells how long a given POST entry should be stored in the local cache (in milliseconds), default value is 300000. (property name: com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)",
"propertyOrder" : 13300,
"required" : false,
"type" : "integer"
},
"webServiceEndpoints" : {
"title" : "Web Service End Points",
"description" : "A list of Web Application end points that represent Web Services. (property name: com.sun.identity.agents.config.webservice.endpoint) <br>Hot-swap: Yes",
"propertyOrder" : 2100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"webServiceAuthenticator" : {
"title" : "Web Service Authenticator",
"description" : "An implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests. (property name: com.sun.identity.agents.config.webservice.authenticator) <br>Hot-swap: Yes",
"propertyOrder" : 2300,
"required" : false,
"type" : "string"
},
"alternativeAgentProtocol" : {
"title" : "Alternative Agent Protocol",
"description" : "Protocol being used (http/https) by the client browsers to communicate with the Agent protected server if different from the actual protocol used by the server. (property name: com.sun.identity.agents.config.agent.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"postDataPreserveCacheEntryMaxTotalSizeMb" : {
"title" : "PDP Maximum Cache Size",
"description" : "Maximum size of the PDP cache, in megabytes (Property name: org.forgerock.openam.agents.config.postdata.preserve.cache.entry.max.total.size.mb). (Agent 5 only)",
"propertyOrder" : 13600,
"required" : false,
"type" : "integer"
},
"jbossWebAuthenticationAvailable" : {
"title" : "WebAuthentication Available",
"description" : "(Not used in Agent 5 onwards) <br>Enable agent to make programmatic authentication with the JBoss web container using WebAuthentication feature. (property name: com.sun.identity.agents.config.jboss.webauth.available) <br>Hot-swap: Yes",
"propertyOrder" : 12300,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "Post Data Preservation enabled",
"description" : "Post Data Preservation functionality basically stores any POST data before redirecting the user to the login screen and after successful login the agent will generate a page that autosubmits the same POST to the original URL. (property name: com.sun.identity.agents.config.postdata.preserve.enable)",
"propertyOrder" : 13100,
"required" : false,
"type" : "boolean"
},
"xssDetectionRedirectUri" : {
"title" : "XSS detection redirect URI",
"description" : "An application-specific Map that identifies a URI of the customized page if XSS code has been deteced. (property name: com.sun.identity.agents.config.xss.redirect.uri) <br>Hot-swap: Yes <br>Examples: <br>To set a redirect target for application BankApp: enter BankApp in Map Key field, and enter a redirect URI in Corresponding Map Value field.",
"propertyOrder" : 12900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"postDataStickySessionKeyValue" : {
"title" : "PDP Stickysession key-value",
"description" : "The provided key-value pair will be used for adding to the URL or creating the cookie. <br>Example: <br>Set 'lb=server1' to append to the querystring or to have 'lb' cookie with 'server1' value. (property name: com.sun.identity.agents.config.postdata.preserve.stickysession.value)",
"propertyOrder" : 13500,
"required" : false,
"type" : "string"
}
}
},
"applicationJ2EEAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"customVerificationHandlers" : {
"title" : "Custom Verification Handler",
"description" : "Application specific verification handler to validate the user credentials with the local repository. (property name: com.sun.identity.agents.config.verification.handler) <br>Valid key: the web application name. <br>Valid value: the verification handler class name. <br>Hot-swap: Yes <br> Example: <br> To set verification handler for application BankApp: enter BankApp in Map Key field, and enter verification handler class name BankVerificationHandler in Corresponding Map Value field.",
"propertyOrder" : 3400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"defaultPrivilegedAttributes" : {
"title" : "Default Privileged Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attributes that will be granted to all users who have a valid AM session. (property name: com.sun.identity.agents.config.default.privileged.attribute) <br>Hot-swap: Yes <br> Example: <br> AUTHENTICATED_USERS",
"propertyOrder" : 9400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedRuleCompoundSeparator" : {
"title" : "Not Enforced Compound Rule Separator",
"description" : "Specifies a separator for not enforced compound rules (Agent 5 only). The format for compound rules requires a list of IP rules, a separator (by default the | character), and a list of URI rules. For example, GET 192.168.1.1-192.168.4.3 | /images/* Configure a different separator (for example, &&) when working with the REGEX keyword to avoid invalid regular expressions.",
"propertyOrder" : 7450,
"required" : false,
"type" : "string"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Mapping",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 9000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutRequestParameters" : {
"title" : "Logout Request Parameter",
"description" : "An application-specific Map that identifies a parameter which when present in the HTTP request indicates a logout event. (property name: com.sun.identity.agents.config.logout.request.param) <br>Valid key: the web application name. <br>Valid value: the logout request parameter. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout request parameter. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout request parameter: leave Map Key field empty, and enter the global application logout request parameter logoutparam in Corresponding Map Value field. <br> To set the logout request parameter for application BankApp: enter BankApp in Map Key field, and enter the logout request parameter logoutparam in Corresponding Map Value field.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"headerAttributeDateFormat" : {
"title" : "Fetch Attribute Date Format",
"description" : "Format of date attribute values to be used when the attribute is being set as HTTP header. Format is based on java.text.SimpleDateFormat. (property name: com.sun.identity.agents.config.attribute.date.format) <br>Hot-swap: Yes",
"propertyOrder" : 8400,
"required" : false,
"type" : "string"
},
"loginFormUri" : {
"title" : "Login Form URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-login-page element. (property name: com.sun.identity.agents.config.login.form) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/login.jsp",
"propertyOrder" : 2800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginContentFile" : {
"title" : "Login Content File Name",
"description" : "Complete path and name of custom login content file. (property name: com.sun.identity.agents.config.login.content.file) <br>Hot-swap: Yes",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"logoutEntryUri" : {
"title" : "Logout Entry URI",
"description" : "An application-specific Map that identifies a URI to be used as an entry point after successful logout and subsequent successful authentication if applicable. (property name: com.sun.identity.agents.config.logout.entry.uri) <br>Valid key: the web application name. <br>Valid value: the logout entry URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout entry URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout entry URI: leave Map Key field empty, and enter the global application logout entry URI /welcome.html in Corresponding Map Value field. <br> To set the logout entry URI for application BankApp: enter BankApp in Map Key field, and enter the logout entry URI /BankApp/welcome.html in Corresponding Map Value field.",
"propertyOrder" : 6300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutHandlers" : {
"title" : "Application Logout Handler",
"description" : "An application-specific Map that identifies a handler to be used for logout processing. (property name: com.sun.identity.agents.config.logout.application.handler) <br>Valid key: the web application name. <br>Valid value: the application logout handler class name. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout handler. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout handler: leave Map Key field empty, and enter the global application logout handler class name GlobalApplicationLogoutHandler in Corresponding Map Value field. <br>To set the logout handler for application BankApp: enter BankApp in Map Key field, and enter the application logout handler class name BankAppLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 5900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"applicationLogoutUris" : {
"title" : "Application Logout URI",
"description" : "An application-specific Map that identifies a request URI which indicates a logout event. (property name: com.sun.identity.agents.config.logout.uri) <br>Valid key: the web application name. <br>Valid value: the application logout URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific logout URI. <br>Hot-swap: Yes <br> Examples: <br>To set a global application logout URI: leave Map Key field empty, and enter the global application logout URI /logout.jsp in Corresponding Map Value field. <br> To set the logout URI for application BankApp: enter BankApp in Map Key field, and enter the application logout URI /BankApp/logout.jsp in Corresponding Map Value field.",
"propertyOrder" : 6000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customLogoutHandlers" : {
"title" : "Custom Logout Handler",
"description" : "Application specific logout handler to log out a user with the application server. (property name: com.sun.identity.agents.config.logout.handler) <br>Valid key: the web application name. <br>Valid value: the logout handler class name. <br>Hot-swap: Yes <br> Example: <br>To set logout handler for application BankApp: enter BankApp in Map Key field, and enter logout handler class name BankLogoutHandler in Corresponding Map Value field.",
"propertyOrder" : 3300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"logoutIntrospection" : {
"title" : "Logout Introspect Enabled",
"description" : "Allows the Agent to search HTTP request body to locate logout parameter. (property name: com.sun.identity.agents.config.logout.introspect.enabled) <br>Hot-swap: Yes",
"propertyOrder" : 6200,
"required" : false,
"type" : "boolean"
},
"privilegedSessionAttribute" : {
"title" : "Privileged Session Attribute",
"description" : "(Not used in Agent 5 onwards) <br>List of session property names which hold privileged attributes for the authenticated user. (property name: com.sun.identity.agents.config.privileged.session.attribute) <br>Hot-swap: Yes <br> Example: <br> UserToken",
"propertyOrder" : 9700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3210,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheSize" : {
"title" : "Not Enforced URIs Cache Size",
"description" : "Size of the cache to be used if caching of not enforced URI list evaluation results is enabled. (property name: com.sun.identity.agents.config.notenforced.uri.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 7800,
"required" : false,
"type" : "integer"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "The mode of fetching profile attributes. (property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8700,
"required" : false,
"type" : "string"
},
"resourceAccessDeniedUri" : {
"title" : "Resource Access Denied URI",
"description" : "An application-specific Map that identifies a URI of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.uri) <br>Valid key: the web application name. <br>Valid value: the customized application access denied page URI. <br>For this property, a global value can be set to apply to all the applications that don't have their own specific access denied page. <br>Hot-swap: Yes <br> Examples: <br>To set a global access denied page: leave Map Key field empty, and enter the global access denied page URI /sample/accessdenied.html in Corresponding Map Value field. <br> To set the access denied page URI for application BankApp: enter BankApp in Map Key field, and enter the application access denied page URI /BankApp/accessdenied.html in Corresponding Map Value field.",
"propertyOrder" : 2700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"privilegedAttributeMappingEnabled" : {
"title" : "Enable Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Enable a mapping from the original value of an attribute to another value. To satisfy container-specific restrictions on character set being used in certain configuration files. (property name: com.sun.identity.agents.config.privileged.attribute.mapping.enable) <br>Hot-swap: Yes",
"propertyOrder" : 9800,
"required" : false,
"type" : "boolean"
},
"cookieAttributeUrlEncoded" : {
"title" : "Attribute Cookie Encode",
"description" : "Indicates if the value of the attribute should be URL encoded before being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.encode) <br>Hot-swap: Yes",
"propertyOrder" : 8500,
"required" : false,
"type" : "boolean"
},
"cookieAttributeMultiValueSeparator" : {
"title" : "Cookie Separator Character",
"description" : "Character that will be used to separate multiple values of the same attribute when it is being set as a cookie. (property name: com.sun.identity.agents.config.attribute.cookie.separator) <br>Hot-swap: Yes",
"propertyOrder" : 8300,
"required" : false,
"type" : "string"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Mapping",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 8800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedUrisCacheEnabled" : {
"title" : "Not Enforced URIs Cache Enabled",
"description" : "Enables the caching of the Not Enforced URIs list evaluation results. (property name: com.sun.identity.agents.config.notenforced.uri.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7700,
"required" : false,
"type" : "boolean"
},
"notEnforcedUris" : {
"title" : "Not Enforced URIs",
"description" : "List of URIs for which protection is not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri) <br>Hot-swap: Yes <br> Examples: <br> /BankApp/public/* <br> /BankApp/images/*",
"propertyOrder" : 7500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"useInternalLogin" : {
"title" : "Use Internal Login",
"description" : "Set to false if want to customize Login Content File instead of default internal content provided. (property name: com.sun.identity.agents.config.login.use.internal) <br>Hot-swap: Yes",
"propertyOrder" : 3000,
"required" : false,
"type" : "boolean"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "The mode of fetching policy response attributes. (property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 9100,
"required" : false,
"type" : "string"
},
"privilegedAttributesToLowerCase" : {
"title" : "Privileged Attributes To Lower Case",
"description" : "(Not used in Agent 5 onwards) <br>Maps the privileged attribute types to whether they should be converted to lowercase. (property name: com.sun.identity.agents.config.privileged.attribute.tolowercase) <br> Valid Keys: the privileged attribute types, such as Group, Role. <br>Valid value: true, false. <br>Hot-swap: Yes <br> Example: <br> Enter Group in Map Key field, and enter false in Corresponding Map Value field.",
"propertyOrder" : 9600,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"shortenedPrivilegeAttributeValues" : {
"title" : "Shortened privilege attribute values",
"description" : "When using privileged attribute type, this setting will ensure that the membership details will be stored in a shortened format and not in the default universal ID format.<br><br>By default the agent maps identity memberships using their universal IDs (e.g. id=admin,ou=group,dc=openam,dc=forgerock,dc=org), however this may not be always acceptable. Using this setting the identity membership details will be mapped in a shortened format, only including the group's/role's name (e.g. admin). Be aware that in case there are both roles and groups in the data store, this setting will make them indistinguishable from each other, i.e. if there is a group and a role with the same name it will not be possible to differentiate them.",
"propertyOrder" : 13600,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeMap" : {
"title" : "Privileged Attribute Mapping",
"description" : "(Not used in Agent 5 onwards) <br>Map if using Enable Privileged Attribute Mapping. (property name: com.sun.identity.agents.config.privileged.attribute.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map UUID id=manager,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_manager_role specified in webapp's deployment descriptor: enter id=manager,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_manager_role in Corresponding Map Value field. <br> To map UUID id=employee,ou=group,dc=openam,dc=forgerock,dc=org to the principal name am_employee_role specified in webapp's deployment descriptor: enter id=employee,ou=group,dc=openam,dc=forgerock,dc=org in Map Key field, and enter am_employee_role in Corresponding Map Value field.",
"propertyOrder" : 9900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"customAuthenticationHandlers" : {
"title" : "Custom Authentication Handler",
"description" : "Application specific authentication handler to authenticate the logged on user with the application server. (property name: com.sun.identity.agents.config.auth.handler) <br>Valid key: the web application name. <br>Valid value: the authentication handler class name. <br>Hot-swap: Yes <br>Example: <br>To set authentication handler for application BankApp: enter BankApp in Map Key field, and enter authentication handler class name BankAuthHandler in Corresponding Map Value field.",
"propertyOrder" : 3200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIpsCacheEnabled" : {
"title" : "Not Enforced IP Cache Flag",
"description" : "Enable caching of not-enforced IP list evaluation results. (property name: com.sun.identity.agents.config.notenforced.ip.cache.enable) <br>Hot-swap: Yes",
"propertyOrder" : 8100,
"required" : false,
"type" : "boolean"
},
"privilegedAttributeType" : {
"title" : "Privileged Attribute Type",
"description" : "(Not used in Agent 5 onwards) <br>List of privileged attribute types that will be fetched for each user. (property name: com.sun.identity.agents.config.privileged.attribute.type) <br>Hot-swap: Yes <br> Example: <br> Group",
"propertyOrder" : 9500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedIpsCacheSize" : {
"title" : "Not Enforced IP Cache Size",
"description" : "Size of the cache to be used if Not Enforced IP Cache Flag is enabled. (property name: com.sun.identity.agents.config.notenforced.ip.cache.size) <br>Hot-swap: Yes",
"propertyOrder" : 8200,
"required" : false,
"type" : "integer"
},
"loginErrorUri" : {
"title" : "Login Error URI",
"description" : "List of absolute URIs corresponding to an application's web.xml form-error-page element. (property name: com.sun.identity.agents.config.login.error.uri) <br>Hot-swap: Yes <br> Example: <br> /BankApp/jsp/error.jsp",
"propertyOrder" : 2900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"invertNotEnforcedUris" : {
"title" : "Invert Not Enforced URIs",
"description" : "Inverts protection of URIs specified in Not Enforced URIs list. When set to true, it indicates that the URIs specified should be enforced and all other URIs should be not enforced by the Agent. (property name: com.sun.identity.agents.config.notenforced.uri.invert) <br>Hot-swap: Yes",
"propertyOrder" : 7600,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedIps" : {
"title" : "Not Enforced IP Invert List",
"description" : "Client IP Addresses to invert protection of IP addresses listed in the related Not Enforced Client IP List. (property name: com.sun.identity.agents.config.notenforced.ip.invert) <br>Hot-swap: Yes",
"propertyOrder" : 8000,
"required" : false,
"type" : "boolean"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 3211,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization protection from agent are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 7900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notEnforcedUrisRefreshSessionIdleTime" : {
"title" : "Refresh Session Idle Time",
"description" : "Indicates if opensso session idle time should be refreshed or reset for not enforced URIs. (property name: com.sun.identity.agents.config.notenforced.refresh.session.idletime) <br>Hot-swap: Yes",
"propertyOrder" : 8600,
"required" : false,
"type" : "boolean"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "The mode of fetching session attributes. (property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 8900,
"required" : false,
"type" : "string"
},
"responseAttributeMap" : {
"title" : "Response Attribute Mapping",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 9200,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
},
"miscJ2EEAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"legacyUserAgentSupport" : {
"title" : "Legacy User Agent Support Enable",
"description" : "Enables support for legacy user agents (browser). (property name: com.sun.identity.agents.config.legacy.support.enable) <br>Hot-swap: Yes",
"propertyOrder" : 6700,
"required" : false,
"type" : "boolean"
},
"portCheckEnabled" : {
"title" : "Port Check Enable",
"description" : "Indicates if port check functionality is enabled or disabled. (property name: com.sun.identity.agents.config.port.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 7200,
"required" : false,
"type" : "boolean"
},
"portCheckSetting" : {
"title" : "Port Check Setting",
"description" : "Map of port versus protocol entries with the key being the listening port number and value being the listening protocol to be used by the Agent to identify requests with invalid port numbers. (property name: com.sun.identity.agents.config.port.check.setting) <br>Hot-swap: Yes <br> Example: <br> To map port 80 to protocol http: enter 80 in Map Key field, and enter http in Corresponding Map Value field.",
"propertyOrder" : 7400,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 18600,
"required" : false,
"type" : "boolean"
},
"legacyUserAgentList" : {
"title" : "Legacy User Agent List",
"description" : "List of user agent header values that identify legacy browsers. Entries in this list can have wild card character '*'. (property name: com.sun.identity.agents.config.legacy.user.agent) <br>Hot-swap: Yes",
"propertyOrder" : 6800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"portCheckFile" : {
"title" : "Port Check File",
"description" : "Name or complete path of a file that has the necessary content needed to handle requests that need port correction. (property name: com.sun.identity.agents.config.port.check.file) <br>Hot-swap: Yes",
"propertyOrder" : 7300,
"required" : false,
"type" : "string"
},
"localeLanguage" : {
"title" : "Locale Language",
"description" : "(property name: com.sun.identity.agents.config.locale.language) <br>Hot-swap: No",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"bypassPrincipalList" : {
"title" : "Bypass Principal List",
"description" : "List of principals that are bypassed by the Agent for authentication and search purposes. (property name: com.sun.identity.agents.config.bypass.principal) <br>Hot-swap: Yes <br> Examples: <br> guest <br> testuser",
"propertyOrder" : 9300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionProvider" : {
"title" : "Encryption Provider",
"description" : "Specifies the encryption provider implementation to be used by the Agent. (property name: com.iplanet.security.encryptor) <br>Hot-swap: No",
"propertyOrder" : 10400,
"required" : false,
"type" : "string"
},
"localeCountry" : {
"title" : "Locale Country",
"description" : "(property name: com.sun.identity.agents.config.locale.country) <br>Hot-swap: No",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"legacyRedirectUri" : {
"title" : "Legacy User Agent Redirect URI",
"description" : "An intermediate URI used by the Agent to redirect legacy user agent requests. (property name: com.sun.identity.agents.config.legacy.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 6900,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/agents/groups/OAuth2Client
1.0
Agent Groups handler that is responsible for managing agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agent groups of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"required" : true,
"type" : "integer"
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"required" : false,
"type" : "string"
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"required" : true,
"type" : "string"
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"required" : false,
"type" : "string"
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"required" : false,
"type" : "string"
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"required" : true,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"required" : true,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"required" : true,
"type" : "integer"
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"required" : false,
"type" : "string"
},
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"required" : false,
"type" : "string"
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"required" : true,
"type" : "string"
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"required" : true,
"type" : "string"
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"required" : false,
"type" : "string"
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"required" : true,
"type" : "string"
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"required" : true,
"type" : "string"
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"required" : true,
"type" : "string"
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"required" : true,
"type" : "boolean"
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"required" : true,
"type" : "string"
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"required" : true,
"type" : "boolean"
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"required" : false,
"type" : "string"
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"required" : true,
"type" : "boolean"
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"required" : false,
"type" : "string"
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"required" : false,
"type" : "string"
},
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"required" : true,
"type" : "boolean"
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"required" : true,
"type" : "integer"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"required" : true,
"type" : "integer"
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"required" : true,
"type" : "integer"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"required" : true,
"type" : "integer"
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"required" : true,
"type" : "string"
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/agents/groups/OAuth2Client/{id}
1.0
Agent Groups handler that is responsible for managing agent groups
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"required" : true,
"type" : "integer"
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"required" : false,
"type" : "string"
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"required" : true,
"type" : "string"
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"required" : false,
"type" : "string"
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"required" : false,
"type" : "string"
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"required" : true,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"required" : true,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"required" : true,
"type" : "integer"
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"required" : false,
"type" : "string"
},
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"required" : false,
"type" : "string"
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"required" : true,
"type" : "string"
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"required" : true,
"type" : "string"
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"required" : false,
"type" : "string"
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"required" : true,
"type" : "string"
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"required" : true,
"type" : "string"
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"required" : true,
"type" : "string"
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"required" : true,
"type" : "boolean"
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"required" : true,
"type" : "string"
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"required" : true,
"type" : "boolean"
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"required" : false,
"type" : "string"
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"required" : true,
"type" : "boolean"
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"required" : false,
"type" : "string"
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"required" : false,
"type" : "string"
},
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"required" : true,
"type" : "boolean"
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"required" : true,
"type" : "integer"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"required" : true,
"type" : "integer"
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"required" : true,
"type" : "integer"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"required" : true,
"type" : "integer"
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"required" : true,
"type" : "string"
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"required" : true,
"type" : "integer"
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"required" : false,
"type" : "string"
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"required" : true,
"type" : "string"
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"required" : false,
"type" : "string"
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"required" : false,
"type" : "string"
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"required" : true,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"required" : true,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"required" : true,
"type" : "integer"
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"required" : false,
"type" : "string"
},
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"required" : false,
"type" : "string"
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"required" : true,
"type" : "string"
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"required" : true,
"type" : "string"
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"required" : false,
"type" : "string"
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"required" : true,
"type" : "string"
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"required" : true,
"type" : "string"
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"required" : true,
"type" : "string"
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"required" : true,
"type" : "boolean"
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"required" : true,
"type" : "string"
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"required" : true,
"type" : "boolean"
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"required" : false,
"type" : "string"
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"required" : true,
"type" : "boolean"
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"required" : false,
"type" : "string"
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"required" : false,
"type" : "string"
},
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"required" : true,
"type" : "boolean"
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"required" : true,
"type" : "integer"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"required" : true,
"type" : "integer"
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"required" : true,
"type" : "integer"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"required" : true,
"type" : "integer"
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"required" : true,
"type" : "string"
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"required" : true,
"type" : "integer"
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"required" : false,
"type" : "string"
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"required" : true,
"type" : "string"
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"required" : false,
"type" : "string"
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"required" : false,
"type" : "string"
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"required" : true,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"required" : true,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"required" : true,
"type" : "integer"
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"required" : false,
"type" : "string"
},
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"required" : false,
"type" : "string"
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"required" : true,
"type" : "string"
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"required" : true,
"type" : "string"
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"required" : false,
"type" : "string"
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"required" : true,
"type" : "string"
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"required" : true,
"type" : "string"
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"required" : true,
"type" : "string"
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"required" : true,
"type" : "boolean"
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"required" : true,
"type" : "string"
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"required" : true,
"type" : "boolean"
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"required" : false,
"type" : "string"
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"required" : true,
"type" : "boolean"
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"required" : false,
"type" : "string"
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"required" : false,
"type" : "string"
},
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"required" : true,
"type" : "boolean"
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"required" : true,
"type" : "integer"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"required" : true,
"type" : "integer"
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"required" : true,
"type" : "integer"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"required" : true,
"type" : "integer"
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"required" : true,
"type" : "string"
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"signEncOAuth2ClientConfig" : {
"type" : "object",
"title" : "Signing and Encryption",
"propertyOrder" : 3,
"properties" : {
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every token signature verification, especially when the kid is not in the jwks content already cached, the JWKS content will be cache for a minimum period of time. This cache miss cache time defines the minimum of time the JWKS URI content is cache.",
"propertyOrder" : 24120,
"required" : true,
"type" : "integer"
},
"requestParameterSignedAlg" : {
"title" : "Request parameter signing algorithm",
"description" : "JWS algorithm for signing the request parameter.",
"propertyOrder" : 27500,
"required" : false,
"type" : "string"
},
"userinfoResponseFormat" : {
"title" : "User info response format.",
"description" : "The user info endpoint offers different output format. See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse",
"propertyOrder" : 27100,
"required" : true,
"type" : "string"
},
"idTokenEncryptionMethod" : {
"title" : "ID Token Encryption Method",
"description" : "Encryption method the ID Token for this client must be encrypted with.",
"propertyOrder" : 24800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the client's public keys.",
"propertyOrder" : 24200,
"required" : false,
"type" : "string"
},
"requestParameterEncryptedAlg" : {
"title" : "Request parameter encryption algorithm",
"description" : "JWE algorithm for encrypting the request parameter.",
"propertyOrder" : 27600,
"required" : false,
"type" : "string"
},
"userinfoEncryptedResponseEncryptionAlgorithm" : {
"title" : "User info encrypted response encryption algorithm",
"description" : "JWE enc algorithm for encrypting UserInfo Responses. If userinfo encrypted response algorithm is specified, the default for this value is A128CBC-HS256. When user info encrypted response encryption is included, user info encrypted response algorithm MUST also be provided.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27400,
"required" : true,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select the public key for this client to come from either the jwks_uri, manual jwks or X509 field.",
"propertyOrder" : 25700,
"required" : true,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every token encryption, the JWKS content is cached. This timeout defines the maximum of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 24110,
"required" : true,
"type" : "integer"
},
"userinfoEncryptedResponseAlg" : {
"title" : "User info encrypted response algorithm",
"description" : "JWE algorithm for encrypting UserInfo Responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.",
"propertyOrder" : 27300,
"required" : false,
"type" : "string"
},
"userinfoSignedResponseAlg" : {
"title" : "User info signed response algorithm",
"description" : "JWS algorithm for signing UserInfo Responses. If this is specified, the response will be JWT <a href=\"https://tools.ietf.org/html/rfc7519\">JWT</a> serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.",
"propertyOrder" : 27200,
"required" : false,
"type" : "string"
},
"idTokenPublicEncryptionKey" : {
"title" : "Client ID Token Public Encryption Key",
"description" : "A Base64 encoded public key for encrypting ID Tokens.",
"propertyOrder" : 24900,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The uri that contains the client's public keys in Json Web Key format.",
"propertyOrder" : 24100,
"required" : true,
"type" : "string"
},
"requestParameterEncryptedEncryptionAlgorithm" : {
"title" : "Request parameter encryption method",
"description" : "JWE enc algorithm for encrypting the request parameter.<br><br>AM supports the following token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 27700,
"required" : true,
"type" : "string"
},
"clientJwtPublicKey" : {
"title" : "Client JWT Bearer Public Key",
"description" : "A Base64 encoded X509 certificate, containing the public key, represented as a UTF-8 PEM file, of the key pair for signing the Client Bearer JWT.",
"propertyOrder" : 25400,
"required" : false,
"type" : "string"
},
"tokenEndpointAuthSigningAlgorithm" : {
"title" : "Token Endpoint Authentication Signing Algorithm",
"description" : "The JWS algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpointfor the private_key_jwt and client_secret_jwt authentication methods. All Token Requests using these authentication methods from this Client MUST be rejected, if the JWT is not signed with this algorithm.",
"propertyOrder" : 24130,
"required" : true,
"type" : "string"
},
"idTokenEncryptionAlgorithm" : {
"title" : "ID Token Encryption Algorithm",
"description" : "Algorithm the ID Token for this client must be encrypted with.",
"propertyOrder" : 24700,
"required" : true,
"type" : "string"
},
"idTokenSignedResponseAlg" : {
"title" : "ID Token Signing Algorithm",
"description" : "Algorithm the ID Token for this client must be signed with.",
"propertyOrder" : 24500,
"required" : true,
"type" : "string"
},
"idTokenEncryptionEnabled" : {
"title" : "Enable ID Token Encryption",
"description" : "Select to enable ID token encryption.",
"propertyOrder" : 24600,
"required" : true,
"type" : "boolean"
}
}
},
"advancedOAuth2ClientConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"subjectType" : {
"title" : "Subject Type",
"description" : "The subject type added to responses for this client.",
"propertyOrder" : 24400,
"required" : true,
"type" : "string"
},
"tokenEndpointAuthMethod" : {
"title" : "Token Endpoint Authentication Method",
"description" : "The authentication method with which a client authenticates to the authorization server at the token endpoint. The authentication method applies to OIDC requests with the openid scope.",
"propertyOrder" : 24000,
"required" : true,
"type" : "string"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation on the authorization server side.<br><br>Enable this setting only if this OAuth 2.0 client supports the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise AM will fail to validate access token requests received from this client.",
"propertyOrder" : 26300,
"required" : true,
"type" : "boolean"
},
"responseTypes" : {
"title" : "Response Types",
"description" : "Response types this client will support and use.",
"propertyOrder" : 23800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"descriptions" : {
"title" : "Display description",
"description" : "A description of the client or other information that may be relevant to the resource owner when considering approval.<br><br>The description may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The company intranet is requesting the following access permission\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the description is displayed to all users having undefined locales. e.g. \"The company intranet is requesting the following access permission\".",
"propertyOrder" : 23600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"name" : {
"title" : "Display name",
"description" : "A client name that may be relevant to the resource owner when considering approval.<br><br>The name may be entered as a single string or as pipe separated strings for locale and localized name; e.g. \"en|The ExampleCo Intranet\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale is omitted, the name is displayed to all users having undefined locales. e.g. \"The ExampleCo Intranet\".",
"propertyOrder" : 23500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"contacts" : {
"title" : "Contacts",
"description" : "Email addresses of users who can administrate this client.",
"propertyOrder" : 23900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requestUris" : {
"title" : "Request uris",
"description" : "Array of request_uri values that are pre-registered by the RP for use at the OP.<br><br>The entire Request URI MUST NOT exceed 512 ASCII characters. Otherwise the value will be ignored.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sectorIdentifierUri" : {
"title" : "Sector Identifier URI",
"description" : "The Host component of this URL is used in the computation of pairwise Subject Identifiers.",
"propertyOrder" : 24300,
"required" : false,
"type" : "string"
},
"isConsentImplied" : {
"title" : "Implied consent",
"description" : "When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must be configured to allow clients to skip consent.",
"propertyOrder" : 26200,
"required" : true,
"type" : "boolean"
},
"updateAccessToken" : {
"title" : "Access Token",
"description" : "The access token used to update the client.",
"propertyOrder" : 25100,
"required" : false,
"type" : "string"
}
}
},
"coreOpenIDClientConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 2,
"properties" : {
"claims" : {
"title" : "Claim(s)",
"description" : "List of claim name translations, which will override those specified for the AS. Claims are values that are presented to the user to inform them what data is being made available to the Client.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description; e.g. \"name|en|Your full name\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"name|Your full name\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"name|\" would allow the claim \"name\" to be used by the client, but would not display it to the user when it was requested.<p>If a value is not given here, the value will be computed from the OAuth 2 Provider settings.</p>",
"propertyOrder" : 23400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientSessionUri" : {
"title" : "Client Session URI",
"description" : "This is the URI that will be used to check messages sent to the session management endpoints. This URI must match the origin of the message",
"propertyOrder" : 25200,
"required" : false,
"type" : "string"
},
"defaultAcrValues" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 25650,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAgeEnabled" : {
"title" : "Default Max Age Enabled",
"description" : "Whether or not the default max age is enforced.",
"propertyOrder" : 25600,
"required" : true,
"type" : "boolean"
},
"postLogoutRedirectUri" : {
"title" : "Post Logout Redirect URIs",
"description" : "URIs that can be redirected to after the client logout process.",
"propertyOrder" : 25000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultMaxAge" : {
"title" : "Default Max Age",
"description" : "Minimum value 1. Sets the maximum length of time in seconds a session may be active after the authorization service has succeeded before the user must actively re-authenticate.",
"propertyOrder" : 25500,
"required" : true,
"type" : "integer"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The time in seconds a JWT is valid for. <i>NB</i> If this field is set to zero, JWT Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26100,
"required" : true,
"type" : "integer"
}
}
},
"coreOAuth2ClientConfig" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time in seconds an access token is valid for. <i>NB</i> If this field is set to zero, Access Token Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 26000,
"required" : true,
"type" : "integer"
},
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"redirectionUris" : {
"title" : "Redirection URIs",
"description" : "Redirection URIs (optional for confidential clients). Complete URIs or URIs consisting of protocol + authority + path are registered so that the OAuth 2.0 provider can trust that tokens are sent to trusted entities. If multiple URI's are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopes" : {
"title" : "Scope(s)",
"description" : "Scope(s). Scopes are strings that are presented to the user for approval and included in tokens so that the protected resource may make decisions about what to give access to.<br><br>Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizationCodeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time in seconds an authorization code is valid for. <i>NB</i> If this field is set to zero, Authorization Code Lifetime of the OAuth2 Provider is used instead of.",
"propertyOrder" : 25800,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. <i>NB</i> If this field is set to zero, Refresh Token Lifetime of the OAuth2 Provider is used instead. If this field is set to -1, the token will never expire.",
"propertyOrder" : 25900,
"required" : true,
"type" : "integer"
},
"clientName" : {
"title" : "Client Name",
"description" : "This value is a readable name for this client.",
"propertyOrder" : 25300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientType" : {
"title" : "Client type",
"description" : "Type of OAuth 2.0 client. Confidential clients can keep their password secret, and are typically web apps or other server-based clients. Public clients run the risk of exposing their password to a host or user agent, such as rich browser applications or desktop clients.",
"propertyOrder" : 23100,
"required" : true,
"type" : "string"
},
"defaultScopes" : {
"title" : "Default Scope(s)",
"description" : "Default Scope(s). Scopes automatically given to tokens.<br><br>Default Scopes may be entered as simple strings or pipe separated strings representing the internal scope name, locale, and localized description; e.g. \"read|en|Permission to view email messages in your account\". Locale strings are in the format <code>language + \"_\" + country + \"_\" + variant</code>, e.g. en, en_GB, en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users having undefined locales. e.g. \"read|Permission to view email messages in your account\". <i>NB</i> If the description is also omitted, nothing is displayed to all users, e.g. specifying \"read|\" would allow the scope \"read\" to be used by the client, but would not display it to the user when it was requested.",
"propertyOrder" : 23700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"coreUmaClientConfig" : {
"type" : "object",
"title" : "UMA",
"propertyOrder" : 4,
"properties" : {
"claimsRedirectionUris" : {
"title" : "Claims Redirection URIs",
"description" : "Redirection URIs for returning to the client from UMA claims collection (not yet supported). If multiple URIs are registered, the client MUST specify the URI that the user should be redirected to following approval. May not contain a fragment (#).",
"propertyOrder" : 23200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/agents/groups/RemoteConsentAgent
1.0
Agent Groups handler that is responsible for managing agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agent groups of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"required" : false,
"type" : "integer"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : true,
"type" : "integer"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"required" : false,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : true,
"type" : "integer"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"required" : true,
"type" : "boolean"
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"required" : true,
"type" : "string"
}
}
}
/realm-config/agents/groups/RemoteConsentAgent/{id}
1.0
Agent Groups handler that is responsible for managing agent groups
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"required" : false,
"type" : "integer"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : true,
"type" : "integer"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"required" : false,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : true,
"type" : "integer"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"required" : true,
"type" : "boolean"
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"required" : false,
"type" : "integer"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : true,
"type" : "integer"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"required" : false,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : true,
"type" : "integer"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"required" : true,
"type" : "boolean"
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"required" : false,
"type" : "integer"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : true,
"type" : "integer"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"required" : false,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : true,
"type" : "integer"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"required" : true,
"type" : "boolean"
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"requestTimeLimit" : {
"title" : "Consent Request Time Limit",
"description" : "The amount of seconds for which the consent request JWT sent to the Remote Consent Service should be considered valid.",
"propertyOrder" : 35200,
"required" : false,
"type" : "integer"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : true,
"type" : "integer"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI containing the public keys of the Remote Consent Service secret. The public keys are in the Json Web Key (jwk) format.",
"propertyOrder" : 34800,
"required" : true,
"type" : "string"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Remote Consent Service's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
},
"remoteConsentRedirectUrl" : {
"title" : "Redirect URL",
"description" : "The Remote Consent Service's URL to which the authorization server should redirect the user in order to obtain their consent.",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"remoteConsentResponseSigningAlg" : {
"title" : "Consent response signing algorithm",
"description" : "The signing algorithm to be used by the provider when verifying the signature of the consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34400,
"required" : false,
"type" : "string"
},
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : true,
"type" : "integer"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"propertyOrder" : 34700,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionMethod" : {
"title" : "Consent response encryption method",
"description" : "The encryption method to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.<br><br>AM supports the following token encryption algorithms: <ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 34600,
"required" : true,
"type" : "string"
},
"remoteConsentResponseEncryptionAlgorithm" : {
"title" : "Consent response encryption algorithm",
"description" : "The encryption algorithm to be used by the provider when decrypting the remote consent response JWT received from the Remote Consent Service.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"remoteConsentRequestEncryptionAlgorithm" : {
"title" : "Consent request Encryption Algorithm",
"description" : "Encryption algorithm to be used when encrypting the consent request JWT.",
"propertyOrder" : 34200,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionEnabled" : {
"title" : "Enable consent request Encryption",
"description" : "Enables encryption of the consent request JWT.",
"propertyOrder" : 34100,
"required" : true,
"type" : "boolean"
},
"remoteConsentRequestSigningAlgorithm" : {
"title" : "Consent request Signing Algorithm",
"description" : "Signing algorithm to be used when signing the consent request JWT.",
"propertyOrder" : 34500,
"required" : true,
"type" : "string"
},
"remoteConsentRequestEncryptionMethod" : {
"title" : "Consent request Encryption Method",
"description" : "Encryption method to be used when encrypting the consent request JWT.",
"propertyOrder" : 34300,
"required" : true,
"type" : "string"
}
}
}
/realm-config/agents/groups/SoapSTSAgent
1.0
Agent Groups handler that is responsible for managing agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agent groups of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/agents/groups/SoapSTSAgent/{id}
1.0
Agent Groups handler that is responsible for managing agent groups
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"publishServicePollInterval" : {
"title" : "Poll Interval",
"description" : "Interval, in seconds, to poll the sts publish service for newly-published SOAP STS instances.",
"propertyOrder" : 26300,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/agents/groups/SoftwarePublisher
1.0
Agent Groups handler that is responsible for managing agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agent groups of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : false,
"type" : "integer"
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"required" : false,
"type" : "string"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : false,
"type" : "integer"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
}
}
}
/realm-config/agents/groups/SoftwarePublisher/{id}
1.0
Agent Groups handler that is responsible for managing agent groups
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : false,
"type" : "integer"
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"required" : false,
"type" : "string"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : false,
"type" : "integer"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : false,
"type" : "integer"
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"required" : false,
"type" : "string"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : false,
"type" : "integer"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : false,
"type" : "integer"
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"required" : false,
"type" : "string"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : false,
"type" : "integer"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jwksCacheTimeout" : {
"title" : "JWKs URI content cache timeout in ms",
"description" : "To avoid loading the JWKS URI content for every operation, the JWKS content is cached. This timeout defines the maximum amount of time the JWKS URI content can be cached before being refreshed.",
"propertyOrder" : 34900,
"required" : false,
"type" : "integer"
},
"softwareStatementSigningAlgorithm" : {
"title" : "Software statement signing Algorithm",
"description" : "Signing algorithm to be used when verifying software statement signatures.",
"propertyOrder" : 34500,
"required" : false,
"type" : "string"
},
"jwksUri" : {
"title" : "Json Web Key URI",
"description" : "The URI that contains the Software Publisher's public keys in Json Web Key format.",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"publicKeyLocation" : {
"title" : "Public key selector",
"description" : "Select how the Software Publisher's public keys should be retrieved by the provider when validating software statement signatures.",
"propertyOrder" : 34700,
"required" : false,
"type" : "string"
},
"issuer" : {
"title" : "Software publisher issuer",
"description" : "Identifier for the software publisher, generally represented as a URL.",
"propertyOrder" : 33001,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWKs URI content cache miss cache time",
"description" : "To avoid loading the JWKS URI content for every operation, especially when the kid is not in the jwks content already cached, the JWKS content will be cached for a minimum period of time. This cache miss cache time defines the minimum amount of time the JWKS URI content is cached.",
"propertyOrder" : 35000,
"required" : false,
"type" : "integer"
},
"jwkSet" : {
"title" : "Json Web Key",
"description" : "Raw JSON Web Key value containing the Software Publisher's public keys.",
"propertyOrder" : 35100,
"required" : false,
"type" : "string"
}
}
}
/realm-config/agents/groups/WebAgent
1.0
Agent Groups handler that is responsible for managing agent groups
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Querying the agent groups of a specific type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"required" : false,
"type" : "boolean"
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"required" : false,
"type" : "string"
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"required" : false,
"type" : "boolean"
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"required" : false,
"type" : "string"
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"required" : false,
"type" : "boolean"
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"required" : false,
"type" : "boolean"
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"required" : false,
"type" : "boolean"
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"required" : false,
"type" : "boolean"
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"required" : false,
"type" : "boolean"
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"required" : false,
"type" : "boolean"
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"required" : false,
"type" : "string"
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"required" : false,
"type" : "boolean"
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"required" : false,
"type" : "boolean"
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"required" : false,
"type" : "string"
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"required" : false,
"type" : "integer"
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"required" : false,
"type" : "boolean"
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"required" : false,
"type" : "string"
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"required" : false,
"type" : "string"
},
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"required" : false,
"type" : "boolean"
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"required" : false,
"type" : "integer"
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"required" : false,
"type" : "boolean"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"required" : false,
"type" : "string"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"required" : false,
"type" : "string"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"required" : false,
"type" : "boolean"
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"required" : false,
"type" : "integer"
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"required" : false,
"type" : "integer"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"required" : false,
"type" : "integer"
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"required" : false,
"type" : "string"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"required" : false,
"type" : "string"
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"required" : false,
"type" : "integer"
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"required" : false,
"type" : "string"
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"required" : false,
"type" : "integer"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"required" : false,
"type" : "boolean"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"required" : false,
"type" : "string"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"required" : false,
"type" : "boolean"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"required" : false,
"type" : "boolean"
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"required" : false,
"type" : "string"
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"required" : false,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"required" : false,
"type" : "boolean"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"required" : false,
"type" : "string"
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"required" : false,
"type" : "integer"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"required" : false,
"type" : "string"
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"required" : false,
"type" : "boolean"
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"required" : false,
"type" : "integer"
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"required" : false,
"type" : "string"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"required" : false,
"type" : "integer"
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"required" : false,
"type" : "boolean"
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"required" : false,
"type" : "string"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"required" : false,
"type" : "string"
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"required" : false,
"type" : "integer"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"required" : false,
"type" : "string"
},
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"required" : false,
"type" : "integer"
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"required" : false,
"type" : "string"
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"required" : false,
"type" : "boolean"
},
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"required" : false,
"type" : "boolean"
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"required" : false,
"type" : "string"
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"required" : false,
"type" : "string"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"required" : false,
"type" : "boolean"
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"required" : false,
"type" : "string"
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"required" : false,
"type" : "boolean"
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"required" : false,
"type" : "boolean"
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"required" : false,
"type" : "string"
},
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"required" : false,
"type" : "boolean"
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"required" : false,
"type" : "string"
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"required" : false,
"type" : "string"
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"required" : false,
"type" : "integer"
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"required" : false,
"type" : "boolean"
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"required" : false,
"type" : "boolean"
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"required" : false,
"type" : "boolean"
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"required" : false,
"type" : "boolean"
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"required" : false,
"type" : "string"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"required" : false,
"type" : "boolean"
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"required" : false,
"type" : "string"
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"required" : false,
"type" : "boolean"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"required" : false,
"type" : "string"
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"required" : false,
"type" : "boolean"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"required" : false,
"type" : "boolean"
}
}
}
}
}
/realm-config/agents/groups/WebAgent/{id}
1.0
Agent Groups handler that is responsible for managing agent groups
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"required" : false,
"type" : "boolean"
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"required" : false,
"type" : "string"
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"required" : false,
"type" : "boolean"
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"required" : false,
"type" : "string"
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"required" : false,
"type" : "boolean"
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"required" : false,
"type" : "boolean"
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"required" : false,
"type" : "boolean"
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"required" : false,
"type" : "boolean"
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"required" : false,
"type" : "boolean"
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"required" : false,
"type" : "boolean"
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"required" : false,
"type" : "string"
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"required" : false,
"type" : "boolean"
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"required" : false,
"type" : "boolean"
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"required" : false,
"type" : "string"
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"required" : false,
"type" : "integer"
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"required" : false,
"type" : "boolean"
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"required" : false,
"type" : "string"
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"required" : false,
"type" : "string"
},
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"required" : false,
"type" : "boolean"
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"required" : false,
"type" : "integer"
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"required" : false,
"type" : "boolean"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"required" : false,
"type" : "string"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"required" : false,
"type" : "string"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"required" : false,
"type" : "boolean"
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"required" : false,
"type" : "integer"
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"required" : false,
"type" : "integer"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"required" : false,
"type" : "integer"
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"required" : false,
"type" : "string"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"required" : false,
"type" : "string"
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"required" : false,
"type" : "integer"
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"required" : false,
"type" : "string"
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"required" : false,
"type" : "integer"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"required" : false,
"type" : "boolean"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"required" : false,
"type" : "string"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"required" : false,
"type" : "boolean"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"required" : false,
"type" : "boolean"
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"required" : false,
"type" : "string"
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"required" : false,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"required" : false,
"type" : "boolean"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"required" : false,
"type" : "string"
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"required" : false,
"type" : "integer"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"required" : false,
"type" : "string"
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"required" : false,
"type" : "boolean"
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"required" : false,
"type" : "integer"
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"required" : false,
"type" : "string"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"required" : false,
"type" : "integer"
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"required" : false,
"type" : "boolean"
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"required" : false,
"type" : "string"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"required" : false,
"type" : "string"
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"required" : false,
"type" : "integer"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"required" : false,
"type" : "string"
},
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"required" : false,
"type" : "integer"
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"required" : false,
"type" : "string"
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"required" : false,
"type" : "boolean"
},
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"required" : false,
"type" : "boolean"
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"required" : false,
"type" : "string"
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"required" : false,
"type" : "string"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"required" : false,
"type" : "boolean"
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"required" : false,
"type" : "string"
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"required" : false,
"type" : "boolean"
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"required" : false,
"type" : "boolean"
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"required" : false,
"type" : "string"
},
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"required" : false,
"type" : "boolean"
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"required" : false,
"type" : "string"
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"required" : false,
"type" : "string"
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"required" : false,
"type" : "integer"
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"required" : false,
"type" : "boolean"
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"required" : false,
"type" : "boolean"
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"required" : false,
"type" : "boolean"
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"required" : false,
"type" : "boolean"
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"required" : false,
"type" : "string"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"required" : false,
"type" : "boolean"
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"required" : false,
"type" : "string"
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"required" : false,
"type" : "boolean"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"required" : false,
"type" : "string"
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"required" : false,
"type" : "boolean"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"required" : false,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"required" : false,
"type" : "boolean"
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"required" : false,
"type" : "string"
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"required" : false,
"type" : "boolean"
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"required" : false,
"type" : "string"
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"required" : false,
"type" : "boolean"
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"required" : false,
"type" : "boolean"
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"required" : false,
"type" : "boolean"
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"required" : false,
"type" : "boolean"
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"required" : false,
"type" : "boolean"
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"required" : false,
"type" : "boolean"
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"required" : false,
"type" : "string"
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"required" : false,
"type" : "boolean"
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"required" : false,
"type" : "boolean"
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"required" : false,
"type" : "string"
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"required" : false,
"type" : "integer"
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"required" : false,
"type" : "boolean"
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"required" : false,
"type" : "string"
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"required" : false,
"type" : "string"
},
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"required" : false,
"type" : "boolean"
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"required" : false,
"type" : "integer"
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"required" : false,
"type" : "boolean"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"required" : false,
"type" : "string"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"required" : false,
"type" : "string"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"required" : false,
"type" : "boolean"
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"required" : false,
"type" : "integer"
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"required" : false,
"type" : "integer"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"required" : false,
"type" : "integer"
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"required" : false,
"type" : "string"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"required" : false,
"type" : "string"
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"required" : false,
"type" : "integer"
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"required" : false,
"type" : "string"
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"required" : false,
"type" : "integer"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"required" : false,
"type" : "boolean"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"required" : false,
"type" : "string"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"required" : false,
"type" : "boolean"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"required" : false,
"type" : "boolean"
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"required" : false,
"type" : "string"
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"required" : false,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"required" : false,
"type" : "boolean"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"required" : false,
"type" : "string"
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"required" : false,
"type" : "integer"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"required" : false,
"type" : "string"
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"required" : false,
"type" : "boolean"
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"required" : false,
"type" : "integer"
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"required" : false,
"type" : "string"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"required" : false,
"type" : "integer"
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"required" : false,
"type" : "boolean"
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"required" : false,
"type" : "string"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"required" : false,
"type" : "string"
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"required" : false,
"type" : "integer"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"required" : false,
"type" : "string"
},
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"required" : false,
"type" : "integer"
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"required" : false,
"type" : "string"
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"required" : false,
"type" : "boolean"
},
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"required" : false,
"type" : "boolean"
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"required" : false,
"type" : "string"
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"required" : false,
"type" : "string"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"required" : false,
"type" : "boolean"
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"required" : false,
"type" : "string"
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"required" : false,
"type" : "boolean"
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"required" : false,
"type" : "boolean"
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"required" : false,
"type" : "string"
},
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"required" : false,
"type" : "boolean"
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"required" : false,
"type" : "string"
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"required" : false,
"type" : "string"
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"required" : false,
"type" : "integer"
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"required" : false,
"type" : "boolean"
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"required" : false,
"type" : "boolean"
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"required" : false,
"type" : "boolean"
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"required" : false,
"type" : "boolean"
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"required" : false,
"type" : "string"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"required" : false,
"type" : "boolean"
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"required" : false,
"type" : "string"
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"required" : false,
"type" : "boolean"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"required" : false,
"type" : "string"
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"required" : false,
"type" : "boolean"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"required" : false,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"required" : false,
"type" : "boolean"
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"required" : false,
"type" : "string"
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"required" : false,
"type" : "boolean"
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"required" : false,
"type" : "string"
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"required" : false,
"type" : "boolean"
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"required" : false,
"type" : "boolean"
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"required" : false,
"type" : "boolean"
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"required" : false,
"type" : "boolean"
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"required" : false,
"type" : "boolean"
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"required" : false,
"type" : "boolean"
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"required" : false,
"type" : "string"
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"required" : false,
"type" : "boolean"
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"required" : false,
"type" : "boolean"
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"required" : false,
"type" : "string"
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"required" : false,
"type" : "integer"
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"required" : false,
"type" : "boolean"
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"required" : false,
"type" : "string"
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"required" : false,
"type" : "string"
},
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"required" : false,
"type" : "boolean"
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"required" : false,
"type" : "integer"
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"required" : false,
"type" : "boolean"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"required" : false,
"type" : "string"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"required" : false,
"type" : "string"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"required" : false,
"type" : "boolean"
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"required" : false,
"type" : "integer"
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"required" : false,
"type" : "integer"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"required" : false,
"type" : "integer"
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"required" : false,
"type" : "string"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"required" : false,
"type" : "string"
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"required" : false,
"type" : "integer"
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"required" : false,
"type" : "string"
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"required" : false,
"type" : "integer"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"required" : false,
"type" : "boolean"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"required" : false,
"type" : "string"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"required" : false,
"type" : "boolean"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"required" : false,
"type" : "boolean"
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"required" : false,
"type" : "string"
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"required" : false,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"required" : false,
"type" : "boolean"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"required" : false,
"type" : "string"
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"required" : false,
"type" : "integer"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"required" : false,
"type" : "string"
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"required" : false,
"type" : "boolean"
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"required" : false,
"type" : "integer"
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"required" : false,
"type" : "string"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"required" : false,
"type" : "integer"
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"required" : false,
"type" : "boolean"
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"required" : false,
"type" : "string"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"required" : false,
"type" : "string"
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"required" : false,
"type" : "integer"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"required" : false,
"type" : "string"
},
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"required" : false,
"type" : "integer"
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"required" : false,
"type" : "string"
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"required" : false,
"type" : "boolean"
},
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"required" : false,
"type" : "boolean"
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"required" : false,
"type" : "string"
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"required" : false,
"type" : "string"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"required" : false,
"type" : "boolean"
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"required" : false,
"type" : "string"
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"required" : false,
"type" : "boolean"
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"required" : false,
"type" : "boolean"
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"required" : false,
"type" : "string"
},
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"required" : false,
"type" : "boolean"
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"required" : false,
"type" : "string"
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"required" : false,
"type" : "string"
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"required" : false,
"type" : "integer"
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"required" : false,
"type" : "boolean"
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"required" : false,
"type" : "boolean"
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"required" : false,
"type" : "boolean"
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"required" : false,
"type" : "boolean"
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"required" : false,
"type" : "string"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"required" : false,
"type" : "boolean"
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"required" : false,
"type" : "string"
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"required" : false,
"type" : "boolean"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"required" : false,
"type" : "string"
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"required" : false,
"type" : "boolean"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"required" : false,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedWebAgentConfig" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 5,
"properties" : {
"customProperties" : {
"title" : "Custom Properties",
"description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br>Hot-swap: Yes <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2",
"propertyOrder" : 35100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"overrideRequestHost" : {
"title" : "Override Request URL Host",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host) <br>Hot-swap: Yes",
"propertyOrder" : 33200,
"required" : false,
"type" : "boolean"
},
"clientIpHeader" : {
"title" : "Client IP Address Header",
"description" : "HTTP header name that holds the IP address of the client. (property name: com.sun.identity.agents.config.client.ip.header) <br>Hot-swap: Yes",
"propertyOrder" : 32800,
"required" : false,
"type" : "string"
},
"clientHostnameHeader" : {
"title" : "Client Hostname Header",
"description" : "HTTP header name that holds the Hostname of the client. (property name: com.sun.identity.agents.config.client.hostname.header) <br>Hot-swap: Yes",
"propertyOrder" : 32900,
"required" : false,
"type" : "string"
},
"overrideRequestPort" : {
"title" : "Override Request URL Port",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port) <br>Hot-swap: Yes",
"propertyOrder" : 33300,
"required" : false,
"type" : "boolean"
},
"authenticationType" : {
"title" : "Authentication Type",
"description" : "(property name: com.sun.identity.agents.config.iis.auth.type)",
"propertyOrder" : 33800,
"required" : false,
"type" : "string"
},
"overrideRequestProtocol" : {
"title" : "Override Request URL Protocol",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol) <br>Hot-swap: Yes",
"propertyOrder" : 33100,
"required" : false,
"type" : "boolean"
},
"changeProtocolToHttps" : {
"title" : "Change URL Protocol to https",
"description" : "If true, avoids IE6 security pop-ups. (property name: com.sun.identity.agents.config.iis.owa.enable.change.protocol)",
"propertyOrder" : 34200,
"required" : false,
"type" : "boolean"
},
"checkUserInDomino" : {
"title" : "Check User in Domino Database",
"description" : "If true, agent checks user existence in Domino name database. (property name: com.sun.identity.agents.config.domino.check.name.database)",
"propertyOrder" : 34600,
"required" : false,
"type" : "boolean"
},
"useLtpaToken" : {
"title" : "Use LTPA token",
"description" : "Set to true if agent needs to use LTPA Token. (property name: com.sun.identity.agents.config.domino.ltpa.enable)",
"propertyOrder" : 34700,
"required" : false,
"type" : "boolean"
},
"showPasswordInHeader" : {
"title" : "Show Password in HTTP Header",
"description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)",
"propertyOrder" : 34400,
"required" : false,
"type" : "boolean"
},
"overrideNotificationUrl" : {
"title" : "Override Notification URL",
"description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the URL with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.notification.url) <br>Hot-swap: Yes",
"propertyOrder" : 33400,
"required" : false,
"type" : "boolean"
},
"filterPriority" : {
"title" : "Filter Priority",
"description" : "The loading priority of filter. (property name: com.sun.identity.agents.config.iis.filter.priority)",
"propertyOrder" : 34000,
"required" : false,
"type" : "string"
},
"ltpaTokenConfigurationname" : {
"title" : "LTPA Token Configuration Name",
"description" : "The configuration name that the agent uses in order to employ the LTPA token mechanism. (property name: com.sun.identity.agents.config.domino.ltpa.config.name)",
"propertyOrder" : 34900,
"required" : false,
"type" : "string"
},
"logonAndImpersonation" : {
"title" : "Logon and Impersonation",
"description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)",
"propertyOrder" : 34500,
"required" : false,
"type" : "boolean"
},
"filterConfiguredWithOwa" : {
"title" : "Filter configured with OWA",
"description" : "Set to true if the IIS agent filter is configured for OWA. (property name: com.sun.identity.agents.config.iis.owa.enable)",
"propertyOrder" : 34100,
"required" : false,
"type" : "boolean"
},
"replayPasswordKey" : {
"title" : "Replay Password Key",
"description" : "DES key for decrypting the basic authentication password in the session. (property name: com.sun.identity.agents.config.replaypasswd.key)",
"propertyOrder" : 33900,
"required" : false,
"type" : "string"
},
"postDataCachePeriod" : {
"title" : "POST Data Entries Cache Period",
"description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime) <br>Hot-swap: Yes",
"propertyOrder" : 33600,
"required" : false,
"type" : "integer"
},
"overrideProxyHostAndPort" : {
"title" : "Override Proxy Server's Host and Port",
"description" : "(property name: com.sun.identity.agents.config.proxy.override.host.port) <br>Hot-swap: No",
"propertyOrder" : 33700,
"required" : false,
"type" : "boolean"
},
"ltpaTokenOrganizationName" : {
"title" : "LTPA Token Organization Name",
"description" : "The organization name to which the LTPA token belongs. (property name: com.sun.identity.agents.config.domino.ltpa.org.name)",
"propertyOrder" : 35000,
"required" : false,
"type" : "string"
},
"ltpaTokenCookieName" : {
"title" : "LTPA Token Cookie Name",
"description" : "The name of the cookie that contains the LTPA token. (property name: com.sun.identity.agents.config.domino.ltpa.cookie.name)",
"propertyOrder" : 34800,
"required" : false,
"type" : "string"
},
"idleSessionTimeoutUrl" : {
"title" : "Idle Session Timeout Page URL",
"description" : "URL of the local idle session timeout page. (property name: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url)",
"propertyOrder" : 34300,
"required" : false,
"type" : "string"
},
"loadBalanced" : {
"title" : "Load Balancer Setup",
"description" : "Set to true if a load balancer is used for AM services. (property name: com.sun.identity.agents.config.load.balancer.enable) <br>Hot-swap: No",
"propertyOrder" : 33000,
"required" : false,
"type" : "boolean"
},
"postDataPreservation" : {
"title" : "POST Data Preservation",
"description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details. <br>Hot-swap: Yes",
"propertyOrder" : 33500,
"required" : false,
"type" : "boolean"
}
}
},
"globalWebAgentConfig" : {
"type" : "object",
"title" : "Global",
"propertyOrder" : 0,
"properties" : {
"status" : {
"title" : "Status",
"description" : "Status of the agent configuration.",
"propertyOrder" : 25100,
"required" : true,
"type" : "string"
},
"webSocketConnectionIntervalInMinutes" : {
"title" : "Web Socket Connection Interval",
"description" : "Interval in minutes by which agents reopen their web socket connection to ensure a fair distribution of connections across AM servers. (Agent 5 only).",
"propertyOrder" : 25400,
"required" : false,
"type" : "integer"
},
"ssoOnlyMode" : {
"title" : "SSO Only Mode",
"description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only) <br>Hot-swap: Yes",
"propertyOrder" : 26200,
"required" : false,
"type" : "boolean"
},
"fqdnDefault" : {
"title" : "FQDN Default",
"description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default) <br>Hot-swap: Yes",
"propertyOrder" : 27400,
"required" : false,
"type" : "string"
},
"jwtName" : {
"title" : "JWT Cookie Name",
"description" : "The name used by the agent to set the OIDC JWT on the user's browser. (Agent 5 only).",
"propertyOrder" : 25500,
"required" : false,
"type" : "string"
},
"fqdnCheck" : {
"title" : "FQDN Check",
"description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27300,
"required" : false,
"type" : "boolean"
},
"remoteLogSendInterval" : {
"title" : "Remote Audit Log Interval",
"description" : "Periodic interval in minutes in which audit log messages are sent to remote log file. (property name: com.sun.identity.agents.config.remote.log.interval) <br>Hot-swap: No",
"propertyOrder" : 27000,
"required" : false,
"type" : "integer"
},
"configurationPollingInterval" : {
"title" : "Configuration Reload Interval",
"description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 25900,
"required" : false,
"type" : "integer"
},
"localAuditRotationSize" : {
"title" : "Local Audit Log Rotation Size",
"description" : "Size limit in bytes when a local audit log file is rotated to a new file. (property name: com.sun.identity.agents.config.local.log.size) <br>Hot-swap: Yes",
"propertyOrder" : 27200,
"required" : false,
"type" : "integer"
},
"agentUriPrefix" : {
"title" : "Agent Deployment URI Prefix",
"description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)<br>Hot-swap: Yes",
"propertyOrder" : 25800,
"required" : false,
"type" : "string"
},
"auditAccessType" : {
"title" : "Audit Access Types",
"description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype) <br>Hot-swap: Yes",
"propertyOrder" : 26700,
"required" : false,
"type" : "string"
},
"debugRotationSize" : {
"title" : "Agent Debug File Size",
"description" : "Agent debug file size in bytes. (property name: com.sun.identity.agents.config.debug.file.size) <br>Hot-swap: Yes",
"propertyOrder" : 26600,
"required" : false,
"type" : "integer"
},
"remoteLogFilename" : {
"title" : "Remote Log Filename",
"description" : "(Not used in Agent 5 onwards) <br>Name of file stored on AM server that contains agent audit messages. (property name: com.sun.identity.agents.config.remote.logfile) <br>Hot-swap: No",
"propertyOrder" : 26900,
"required" : false,
"type" : "string"
},
"configurationCleanupInterval" : {
"title" : "Configuration Cleanup Interval",
"description" : "Interval in minutes to cleanup old agent configuration entries. (property name: com.sun.identity.agents.config.cleanup.interval) <br>Hot-swap: No",
"propertyOrder" : 26000,
"required" : false,
"type" : "integer"
},
"cdssoRootUrl" : {
"title" : "Agent Root URL for CDSSO",
"description" : "The agent root URL for CDSSO. The valid value is in the following format: <br>protocol://hostname:port/<br> The protocol represents the protocol used, such as http or https. The hostname represents the host name of the machine on which the agent resides. The port represents the port number on which the agent is installed. The slash following the port number is required.",
"propertyOrder" : 26100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"notificationsEnabled" : {
"title" : "Enable Notifications",
"description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Hot-swap: No",
"propertyOrder" : 25600,
"required" : false,
"type" : "boolean"
},
"agentNotificationUrl" : {
"title" : "Agent Notification URL",
"description" : "(Not used in Agent 5 onwards) <br>URL used by agent to register notification listeners. (property name: com.sun.identity.client.notification.url) <br>Hot-swap: No",
"propertyOrder" : 25700,
"required" : false,
"type" : "string"
},
"fqdnMapping" : {
"title" : "FQDN Virtual Host Map",
"description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br>Hot-swap: Yes <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.",
"propertyOrder" : 27500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"debugLogRotation" : {
"title" : "Agent Debug File Rotation",
"description" : "Debug file gets rotated based on the size specified. (property name: com.sun.identity.agents.config.debug.file.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 26500,
"required" : false,
"type" : "boolean"
},
"agentConfigChangeNotificationsEnabled" : {
"title" : "Agent Configuration Change Notification",
"description" : "Enable agent to receive notification messages from AM server for configuration changes. (property name: com.sun.identity.agents.config.change.notification.enable) <br>Hot-swap: Yes",
"propertyOrder" : 25300,
"required" : false,
"type" : "boolean"
},
"accessDeniedUrl" : {
"title" : "Resources Access Denied URL",
"description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url) <br>Hot-swap: Yes",
"propertyOrder" : 26300,
"required" : false,
"type" : "string"
},
"agentDebugLevel" : {
"title" : "Agent Debug Level",
"description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level) <br>Hot-swap: Yes",
"propertyOrder" : 26400,
"required" : false,
"type" : "string"
},
"localAuditLogRotation" : {
"title" : "Rotate Local Audit Log",
"description" : "Flag to indicate that audit log files should be rotated when reaching a certain size. (property name: com.sun.identity.agents.config.local.log.rotate) <br>Hot-swap: Yes",
"propertyOrder" : 27100,
"required" : false,
"type" : "boolean"
},
"auditLogLocation" : {
"title" : "Audit Log Location",
"description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition) <br>Hot-swap: Yes",
"propertyOrder" : 26800,
"required" : false,
"type" : "string"
}
}
},
"amServicesWebAgent" : {
"type" : "object",
"title" : "AM Services",
"propertyOrder" : 3,
"properties" : {
"primaryServerPollingPeriod" : {
"title" : "Polling Period for Primary Server",
"description" : "Interval in minutes, agent polls to check the primary server is up and running. (property name: com.sun.identity.agents.config.poll.primary.server) <br>Hot-swap: No",
"propertyOrder" : 30100,
"required" : false,
"type" : "integer"
},
"policyEvaluationApplication" : {
"title" : "Application",
"description" : "Which application contains the policies to evaluate with (property name: org.forgerock.openam.agents.config.policy.evaluation.application) <br>Hot-swap: Yes",
"propertyOrder" : 31400,
"required" : false,
"type" : "string"
},
"retrieveClientHostname" : {
"title" : "Retrieve Client Hostname",
"description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name) <br>Hot-swap: Yes",
"propertyOrder" : 31100,
"required" : false,
"type" : "boolean"
},
"ssoCachePollingInterval" : {
"title" : "SSO Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30700,
"required" : false,
"type" : "integer"
},
"userIdParameter" : {
"title" : "User ID Parameter",
"description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param) <br>Hot-swap: Yes",
"propertyOrder" : 30800,
"required" : false,
"type" : "string"
},
"amLogoutUrl" : {
"title" : "AM Logout URL",
"description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Logout",
"propertyOrder" : 30200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"policyClockSkew" : {
"title" : "Policy Clock Skew",
"description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Hot-swap: No",
"propertyOrder" : 31200,
"required" : false,
"type" : "integer"
},
"logoutResetCookies" : {
"title" : "Logout Cookies List for Reset",
"description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br>Hot-swap: Yes <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 30400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"fetchPoliciesFromRootResource" : {
"title" : "Fetch Policies from Root Resource",
"description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Hot-swap: No",
"propertyOrder" : 31000,
"required" : false,
"type" : "boolean"
},
"logoutRedirectUrl" : {
"title" : "Logout Redirect URL",
"description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.<br>Hot-swap: Yes",
"propertyOrder" : 30500,
"required" : false,
"type" : "string"
},
"policyEvaluationRealm" : {
"title" : "Realm",
"description" : "Which realm to start evaluating from (property name: org.forgerock.openam.agents.config.policy.evaluation.realm) <br>Hot-swap: Yes",
"propertyOrder" : 31300,
"required" : false,
"type" : "string"
},
"agentConnectionTimeout" : {
"title" : "Agent Connection Timeout",
"description" : "Timeout period in seconds for an agent connection with AM auth server. (property name: com.sun.identity.agents.config.auth.connection.timeout) <br>Hot-swap: Yes",
"propertyOrder" : 30000,
"required" : false,
"type" : "integer"
},
"amLoginUrl" : {
"title" : "AM Login URL",
"description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/UI/Login",
"propertyOrder" : 29900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userIdParameterType" : {
"title" : "User ID Parameter Type",
"description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type) <br>Hot-swap: Yes",
"propertyOrder" : 30900,
"required" : false,
"type" : "string"
},
"policyCachePollingInterval" : {
"title" : "Policy Cache Polling Period",
"description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Hot-swap: No",
"propertyOrder" : 30600,
"required" : false,
"type" : "integer"
},
"applicationLogoutUrls" : {
"title" : "Logout URL List",
"description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property.<br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/logout.html",
"propertyOrder" : 30300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"applicationWebAgentConfig" : {
"type" : "object",
"title" : "Application",
"propertyOrder" : 1,
"properties" : {
"notEnforcedIps" : {
"title" : "Not Enforced Client IP List",
"description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br>Hot-swap: Yes <br> Examples: <br> 192.18.145.* <br> 192.18.146.123",
"propertyOrder" : 28000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"continuousSecurityCookies" : {
"title" : "Continuous Security Cookies",
"description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent.",
"propertyOrder" : 28900,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeMap" : {
"title" : "Profile Attribute Map",
"description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.",
"propertyOrder" : 28300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"profileAttributeFetchMode" : {
"title" : "Profile Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28200,
"required" : false,
"type" : "string"
},
"fetchAttributesForNotEnforcedUrls" : {
"title" : "Fetch Attributes for Not Enforced URLs",
"description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable) <br>Hot-swap: Yes",
"propertyOrder" : 27900,
"required" : false,
"type" : "boolean"
},
"ignorePathInfoForNotEnforcedUrls" : {
"title" : "Ignore Path Info for Not Enforced URLs",
"description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) <br>Hot-swap: Yes",
"propertyOrder" : 27600,
"required" : false,
"type" : "boolean"
},
"attributeMultiValueSeparator" : {
"title" : "Attribute Multi Value Separator",
"description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator) <br>Hot-swap: Yes",
"propertyOrder" : 28800,
"required" : false,
"type" : "string"
},
"notEnforcedUrls" : {
"title" : "Not Enforced URLs",
"description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br>Hot-swap: Yes <br> Example: <br> http://myagent.mydomain.com/*.gif",
"propertyOrder" : 27700,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sessionAttributeFetchMode" : {
"title" : "Session Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28600,
"required" : false,
"type" : "string"
},
"continuousSecurityHeaders" : {
"title" : "Continuous Security Headers",
"description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent.",
"propertyOrder" : 29000,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"sessionAttributeMap" : {
"title" : "Session Attribute Map",
"description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.",
"propertyOrder" : 28700,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"clientIpValidation" : {
"title" : "Client IP Validation",
"description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable) <br>Hot-swap: Yes",
"propertyOrder" : 28100,
"required" : false,
"type" : "boolean"
},
"invertNotEnforcedUrls" : {
"title" : "Invert Not Enforced URLs",
"description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert) <br>Hot-swap: Yes",
"propertyOrder" : 27800,
"required" : false,
"type" : "boolean"
},
"responseAttributeMap" : {
"title" : "Response Attribute Map",
"description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br>Hot-swap: Yes <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.",
"propertyOrder" : 28500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"responseAttributeFetchMode" : {
"title" : "Response Attribute Fetch Mode",
"description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode) <br>Hot-swap: Yes",
"propertyOrder" : 28400,
"required" : false,
"type" : "string"
}
}
},
"miscWebAgentConfig" : {
"type" : "object",
"title" : "Miscellaneous",
"propertyOrder" : 4,
"properties" : {
"anonymousUserEnabled" : {
"title" : "Anonymous User",
"description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31600,
"required" : false,
"type" : "boolean"
},
"encodeSpecialCharsInCookies" : {
"title" : "Encode special chars in Cookies",
"description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 31700,
"required" : false,
"type" : "boolean"
},
"agentLocale" : {
"title" : "Agent Locale",
"description" : "The default locale for the product. (property name: com.sun.identity.agents.config.locale) <br>Hot-swap: No",
"propertyOrder" : 31500,
"required" : false,
"type" : "string"
},
"caseInsensitiveUrlComparison" : {
"title" : "URL Comparison Case Sensitivity Check",
"description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore) <br>Hot-swap: Yes",
"propertyOrder" : 32000,
"required" : false,
"type" : "boolean"
},
"anonymousUserId" : {
"title" : "Anonymous User Default Value",
"description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id) <br>Hot-swap: Yes",
"propertyOrder" : 32700,
"required" : false,
"type" : "string"
},
"profileAttributesCookiePrefix" : {
"title" : "Profile Attributes Cookie Prefix",
"description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix) <br>Hot-swap: Yes",
"propertyOrder" : 31800,
"required" : false,
"type" : "string"
},
"profileAttributesCookieMaxAge" : {
"title" : "Profile Attributes Cookie Maxage",
"description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage) <br>Hot-swap: Yes",
"propertyOrder" : 31900,
"required" : false,
"type" : "integer"
},
"ignoreServerCheck" : {
"title" : "Ignore Server Check",
"description" : "Agent uses this value to check AM is up before doing a 302 redirect. (property name: com.sun.identity.agents.config.ignore.server.check) <br>Hot-swap: Yes",
"propertyOrder" : 32300,
"required" : false,
"type" : "boolean"
},
"ignorePreferredNamingUrl" : {
"title" : "Ignore Preferred Naming URL in Naming Request",
"description" : "Agent uses this value to send preferred naming url in the naming request. (property name: com.sun.identity.agents.config.ignore.preferred.naming.url) <br>Hot-swap: Yes",
"propertyOrder" : 32200,
"required" : false,
"type" : "boolean"
},
"encodeProfileAttributes" : {
"title" : "Native Encoding of Profile Attributes",
"description" : "Agent encodes the ldap header values in the default encoding of OS locale. If false, UTF-8 gets used. (property name: com.sun.identity.agents.config.convert.mbyte.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32500,
"required" : false,
"type" : "boolean"
},
"encodeUrlSpecialCharacters" : {
"title" : "Encode URL's Special Characters",
"description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable) <br>Hot-swap: Yes",
"propertyOrder" : 32100,
"required" : false,
"type" : "boolean"
},
"gotoParameterName" : {
"title" : "Goto Parameter Name",
"description" : "Property used only when CDSSO is enabled. Default value should be changed only when the login URL has a landing page specified <br> Example : com.sun.identity.agents.config.cdsso.cdcservlet.url = http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp <br> The parameter is used by the Agent to append the original request URL to this cdcserlet URL. This parameter is consumed by the landing page to redirect to the original URL. (property name: com.sun.identity.agents.config.redirect.param) <br>Hot-swap: Yes <br> Example: com.sun.identity.agents.config.redirect.param = goto2<br> The complete URL sent for authentication will be <br> http://host:port/opensso/cdcservlet?goto=http://agent:port/landing.jsp?goto2=http://agent.port/original.jsp",
"propertyOrder" : 32600,
"required" : false,
"type" : "string"
},
"ignorePathInfo" : {
"title" : "Ignore Path Info in Request URL",
"description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. (property name: com.sun.identity.agents.config.ignore.path.info) <br>Hot-swap: Yes",
"propertyOrder" : 32400,
"required" : false,
"type" : "boolean"
}
}
},
"ssoWebAgentConfig" : {
"type" : "object",
"title" : "SSO",
"propertyOrder" : 2,
"properties" : {
"cookieResetList" : {
"title" : "Cookies Reset Name List",
"description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br>Hot-swap: Yes <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com",
"propertyOrder" : 29800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cookieName" : {
"title" : "Cookie Name",
"description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Hot-swap: No",
"propertyOrder" : 29100,
"required" : false,
"type" : "string"
},
"secureCookies" : {
"title" : "Cookie Security",
"description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Hot-swap: No",
"propertyOrder" : 29200,
"required" : false,
"type" : "boolean"
},
"cdssoUrls" : {
"title" : "CDSSO Servlet URL",
"description" : "List of URLs of the available CDSSO controllers that may be used by the Agent for CDSSO processing. (property name: com.sun.identity.agents.config.cdsso.cdcservlet.url) <br>Hot-swap: Yes <br> Example: <br> http://host:port/opensso/cdcservlet",
"propertyOrder" : 29500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdssoRedirectUri" : {
"title" : "CDSSO Redirect URI",
"description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. (property name: com.sun.identity.agents.config.cdsso.redirect.uri) <br>Hot-swap: Yes",
"propertyOrder" : 29300,
"required" : false,
"type" : "string"
},
"cdssoCookieDomain" : {
"title" : "Cookies Domain List",
"description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br>Hot-swap: Yes <br> Example: <br> .sun.com",
"propertyOrder" : 29600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cdsso" : {
"title" : "Cross Domain SSO",
"description" : "Enables Cross-Domain Single Sign On. (property name: com.sun.identity.agents.config.cdsso.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29400,
"required" : false,
"type" : "boolean"
},
"cookieResetEnabled" : {
"title" : "Cookie Reset",
"description" : "Agent reset cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable) <br>Hot-swap: Yes",
"propertyOrder" : 29700,
"required" : false,
"type" : "boolean"
}
}
}
}
}
/realm-config/authentication
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 3,
"properties" : {
"userStatusCallbackPlugins" : {
"title" : "Pluggable User Status Event Classes",
"description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
"propertyOrder" : 2600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"twoFactorRequired" : {
"title" : "Two Factor Authentication Mandatory",
"description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.",
"propertyOrder" : 3900,
"required" : true,
"type" : "boolean"
},
"identityType" : {
"title" : "Identity Types",
"propertyOrder" : 2500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"locale" : {
"title" : "Default Authentication Locale",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"defaultAuthLevel" : {
"title" : "Default Authentication Level",
"description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"statelessSessionsEnabled" : {
"title" : "Use Client-based Sessions",
"description" : "Enables client-based sessions.<br><br>Client-based sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
}
}
},
"trees" : {
"type" : "object",
"title" : "Trees",
"propertyOrder" : 4,
"properties" : {
"authenticationSessionsStateManagement" : {
"title" : "Authentication session state management scheme",
"description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and blacklisting use the options in the Client-based Sessions section of the Sessions global service.</em>",
"propertyOrder" : 3850,
"required" : true,
"type" : "string"
},
"authenticationSessionsWhitelist" : {
"title" : "Enable whitelisting",
"description" : "Enables explicit whitelisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.",
"propertyOrder" : 3860,
"required" : true,
"type" : "boolean"
},
"authenticationSessionsMaxDuration" : {
"title" : "Max duration (minutes)",
"description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.",
"propertyOrder" : 3860,
"required" : true,
"type" : "integer"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : -1,
"properties" : {
"adminAuthModule" : {
"title" : "Administrator Authentication Configuration",
"description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"orgConfig" : {
"title" : "Organization Authentication Configuration",
"description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"accountlockout" : {
"type" : "object",
"title" : "Account Lockout",
"propertyOrder" : 2,
"properties" : {
"storeInvalidAttemptsInDataStore" : {
"title" : "Store Invalid Attempts in Data Store",
"description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"lockoutDuration" : {
"title" : "Login Failure Lockout Duration",
"description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"lockoutWarnUserCount" : {
"title" : "Warn User After N Failures",
"description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"invalidAttemptsDataAttributeName" : {
"title" : "Invalid Attempts Data Attribute Name",
"description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"lockoutAttributeName" : {
"title" : "Lockout Attribute Name",
"description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"loginFailureCount" : {
"title" : "Login Failure Lockout Count",
"description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"lockoutEmailAddress" : {
"title" : "Email Address to Send Lockout Notification",
"description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"lockoutDurationMultiplier" : {
"title" : "Lockout Duration Multiplier",
"description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"loginFailureLockoutMode" : {
"title" : "Login Failure Lockout Mode",
"description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"lockoutAttributeValue" : {
"title" : "Lockout Attribute Value",
"description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"loginFailureDuration" : {
"title" : "Login Failure Lockout Interval",
"description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
}
}
},
"postauthprocess" : {
"type" : "object",
"title" : "Post Authentication Processing",
"propertyOrder" : 6,
"properties" : {
"loginSuccessUrl" : {
"title" : "Default Success Login URL",
"description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Default Failure Login URL ",
"description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorClass" : {
"title" : "Pluggable User Name Generator Class",
"description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"usernameGeneratorEnabled" : {
"title" : "Generate UserID Mode",
"description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
"propertyOrder" : 2000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userAttributeSessionMapping" : {
"title" : "User Attribute Mapping to Session Attribute",
"description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
"propertyOrder" : 3000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"security" : {
"type" : "object",
"title" : "Security",
"propertyOrder" : 5,
"properties" : {
"zeroPageLoginReferrerWhiteList" : {
"title" : "Zero Page Login Referer Whitelist",
"description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
"propertyOrder" : 3600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"keyAlias" : {
"title" : "Persistent Cookie Encryption Certificate Alias",
"description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"zeroPageLoginEnabled" : {
"title" : "Zero Page Login",
"description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
"propertyOrder" : 3400,
"required" : true,
"type" : "boolean"
},
"sharedSecret" : {
"title" : "Organization Authentication Signing Secret",
"description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string",
"format" : "password"
},
"moduleBasedAuthEnabled" : {
"title" : "Module Based Authentication",
"description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"zeroPageLoginAllowedWithoutReferrer" : {
"title" : "Zero Page Login Allowed without Referer?",
"description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
}
}
},
"userprofile" : {
"type" : "object",
"title" : "User Profile",
"propertyOrder" : 0,
"properties" : {
"defaultRole" : {
"title" : "User Profile Dynamic Creation Default Roles",
"description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"dynamicProfileCreation" : {
"title" : "User Profile",
"description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"aliasAttributeName" : {
"title" : "Alias Search Attribute Name",
"description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 3,
"properties" : {
"userStatusCallbackPlugins" : {
"title" : "Pluggable User Status Event Classes",
"description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
"propertyOrder" : 2600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"twoFactorRequired" : {
"title" : "Two Factor Authentication Mandatory",
"description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.",
"propertyOrder" : 3900,
"required" : true,
"type" : "boolean"
},
"identityType" : {
"title" : "Identity Types",
"propertyOrder" : 2500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"locale" : {
"title" : "Default Authentication Locale",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"defaultAuthLevel" : {
"title" : "Default Authentication Level",
"description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"statelessSessionsEnabled" : {
"title" : "Use Client-based Sessions",
"description" : "Enables client-based sessions.<br><br>Client-based sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
}
}
},
"trees" : {
"type" : "object",
"title" : "Trees",
"propertyOrder" : 4,
"properties" : {
"authenticationSessionsStateManagement" : {
"title" : "Authentication session state management scheme",
"description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and blacklisting use the options in the Client-based Sessions section of the Sessions global service.</em>",
"propertyOrder" : 3850,
"required" : true,
"type" : "string"
},
"authenticationSessionsWhitelist" : {
"title" : "Enable whitelisting",
"description" : "Enables explicit whitelisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.",
"propertyOrder" : 3860,
"required" : true,
"type" : "boolean"
},
"authenticationSessionsMaxDuration" : {
"title" : "Max duration (minutes)",
"description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.",
"propertyOrder" : 3860,
"required" : true,
"type" : "integer"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : -1,
"properties" : {
"adminAuthModule" : {
"title" : "Administrator Authentication Configuration",
"description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"orgConfig" : {
"title" : "Organization Authentication Configuration",
"description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"accountlockout" : {
"type" : "object",
"title" : "Account Lockout",
"propertyOrder" : 2,
"properties" : {
"storeInvalidAttemptsInDataStore" : {
"title" : "Store Invalid Attempts in Data Store",
"description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"lockoutDuration" : {
"title" : "Login Failure Lockout Duration",
"description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"lockoutWarnUserCount" : {
"title" : "Warn User After N Failures",
"description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"invalidAttemptsDataAttributeName" : {
"title" : "Invalid Attempts Data Attribute Name",
"description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"lockoutAttributeName" : {
"title" : "Lockout Attribute Name",
"description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"loginFailureCount" : {
"title" : "Login Failure Lockout Count",
"description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"lockoutEmailAddress" : {
"title" : "Email Address to Send Lockout Notification",
"description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"lockoutDurationMultiplier" : {
"title" : "Lockout Duration Multiplier",
"description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"loginFailureLockoutMode" : {
"title" : "Login Failure Lockout Mode",
"description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"lockoutAttributeValue" : {
"title" : "Lockout Attribute Value",
"description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"loginFailureDuration" : {
"title" : "Login Failure Lockout Interval",
"description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
}
}
},
"postauthprocess" : {
"type" : "object",
"title" : "Post Authentication Processing",
"propertyOrder" : 6,
"properties" : {
"loginSuccessUrl" : {
"title" : "Default Success Login URL",
"description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Default Failure Login URL ",
"description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorClass" : {
"title" : "Pluggable User Name Generator Class",
"description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"usernameGeneratorEnabled" : {
"title" : "Generate UserID Mode",
"description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
"propertyOrder" : 2000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userAttributeSessionMapping" : {
"title" : "User Attribute Mapping to Session Attribute",
"description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
"propertyOrder" : 3000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"security" : {
"type" : "object",
"title" : "Security",
"propertyOrder" : 5,
"properties" : {
"zeroPageLoginReferrerWhiteList" : {
"title" : "Zero Page Login Referer Whitelist",
"description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
"propertyOrder" : 3600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"keyAlias" : {
"title" : "Persistent Cookie Encryption Certificate Alias",
"description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"zeroPageLoginEnabled" : {
"title" : "Zero Page Login",
"description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
"propertyOrder" : 3400,
"required" : true,
"type" : "boolean"
},
"sharedSecret" : {
"title" : "Organization Authentication Signing Secret",
"description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string",
"format" : "password"
},
"moduleBasedAuthEnabled" : {
"title" : "Module Based Authentication",
"description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"zeroPageLoginAllowedWithoutReferrer" : {
"title" : "Zero Page Login Allowed without Referer?",
"description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
}
}
},
"userprofile" : {
"type" : "object",
"title" : "User Profile",
"propertyOrder" : 0,
"properties" : {
"defaultRole" : {
"title" : "User Profile Dynamic Creation Default Roles",
"description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"dynamicProfileCreation" : {
"title" : "User Profile",
"description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"aliasAttributeName" : {
"title" : "Alias Search Attribute Name",
"description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 3,
"properties" : {
"userStatusCallbackPlugins" : {
"title" : "Pluggable User Status Event Classes",
"description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
"propertyOrder" : 2600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"twoFactorRequired" : {
"title" : "Two Factor Authentication Mandatory",
"description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.",
"propertyOrder" : 3900,
"required" : true,
"type" : "boolean"
},
"identityType" : {
"title" : "Identity Types",
"propertyOrder" : 2500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"locale" : {
"title" : "Default Authentication Locale",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"defaultAuthLevel" : {
"title" : "Default Authentication Level",
"description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"statelessSessionsEnabled" : {
"title" : "Use Client-based Sessions",
"description" : "Enables client-based sessions.<br><br>Client-based sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
}
}
},
"trees" : {
"type" : "object",
"title" : "Trees",
"propertyOrder" : 4,
"properties" : {
"authenticationSessionsStateManagement" : {
"title" : "Authentication session state management scheme",
"description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and blacklisting use the options in the Client-based Sessions section of the Sessions global service.</em>",
"propertyOrder" : 3850,
"required" : true,
"type" : "string"
},
"authenticationSessionsWhitelist" : {
"title" : "Enable whitelisting",
"description" : "Enables explicit whitelisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.",
"propertyOrder" : 3860,
"required" : true,
"type" : "boolean"
},
"authenticationSessionsMaxDuration" : {
"title" : "Max duration (minutes)",
"description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.",
"propertyOrder" : 3860,
"required" : true,
"type" : "integer"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : -1,
"properties" : {
"adminAuthModule" : {
"title" : "Administrator Authentication Configuration",
"description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"orgConfig" : {
"title" : "Organization Authentication Configuration",
"description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"accountlockout" : {
"type" : "object",
"title" : "Account Lockout",
"propertyOrder" : 2,
"properties" : {
"storeInvalidAttemptsInDataStore" : {
"title" : "Store Invalid Attempts in Data Store",
"description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"lockoutDuration" : {
"title" : "Login Failure Lockout Duration",
"description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"lockoutWarnUserCount" : {
"title" : "Warn User After N Failures",
"description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"invalidAttemptsDataAttributeName" : {
"title" : "Invalid Attempts Data Attribute Name",
"description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"lockoutAttributeName" : {
"title" : "Lockout Attribute Name",
"description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"loginFailureCount" : {
"title" : "Login Failure Lockout Count",
"description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"lockoutEmailAddress" : {
"title" : "Email Address to Send Lockout Notification",
"description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"lockoutDurationMultiplier" : {
"title" : "Lockout Duration Multiplier",
"description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"loginFailureLockoutMode" : {
"title" : "Login Failure Lockout Mode",
"description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"lockoutAttributeValue" : {
"title" : "Lockout Attribute Value",
"description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"loginFailureDuration" : {
"title" : "Login Failure Lockout Interval",
"description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
}
}
},
"postauthprocess" : {
"type" : "object",
"title" : "Post Authentication Processing",
"propertyOrder" : 6,
"properties" : {
"loginSuccessUrl" : {
"title" : "Default Success Login URL",
"description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Default Failure Login URL ",
"description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorClass" : {
"title" : "Pluggable User Name Generator Class",
"description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"usernameGeneratorEnabled" : {
"title" : "Generate UserID Mode",
"description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
"propertyOrder" : 2000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userAttributeSessionMapping" : {
"title" : "User Attribute Mapping to Session Attribute",
"description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
"propertyOrder" : 3000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"security" : {
"type" : "object",
"title" : "Security",
"propertyOrder" : 5,
"properties" : {
"zeroPageLoginReferrerWhiteList" : {
"title" : "Zero Page Login Referer Whitelist",
"description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
"propertyOrder" : 3600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"keyAlias" : {
"title" : "Persistent Cookie Encryption Certificate Alias",
"description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"zeroPageLoginEnabled" : {
"title" : "Zero Page Login",
"description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
"propertyOrder" : 3400,
"required" : true,
"type" : "boolean"
},
"sharedSecret" : {
"title" : "Organization Authentication Signing Secret",
"description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string",
"format" : "password"
},
"moduleBasedAuthEnabled" : {
"title" : "Module Based Authentication",
"description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"zeroPageLoginAllowedWithoutReferrer" : {
"title" : "Zero Page Login Allowed without Referer?",
"description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
}
}
},
"userprofile" : {
"type" : "object",
"title" : "User Profile",
"propertyOrder" : 0,
"properties" : {
"defaultRole" : {
"title" : "User Profile Dynamic Creation Default Roles",
"description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"dynamicProfileCreation" : {
"title" : "User Profile",
"description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"aliasAttributeName" : {
"title" : "Alias Search Attribute Name",
"description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 3,
"properties" : {
"userStatusCallbackPlugins" : {
"title" : "Pluggable User Status Event Classes",
"description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
"propertyOrder" : 2600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"twoFactorRequired" : {
"title" : "Two Factor Authentication Mandatory",
"description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.",
"propertyOrder" : 3900,
"required" : true,
"type" : "boolean"
},
"identityType" : {
"title" : "Identity Types",
"propertyOrder" : 2500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"locale" : {
"title" : "Default Authentication Locale",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"defaultAuthLevel" : {
"title" : "Default Authentication Level",
"description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"statelessSessionsEnabled" : {
"title" : "Use Client-based Sessions",
"description" : "Enables client-based sessions.<br><br>Client-based sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
}
}
},
"trees" : {
"type" : "object",
"title" : "Trees",
"propertyOrder" : 4,
"properties" : {
"authenticationSessionsStateManagement" : {
"title" : "Authentication session state management scheme",
"description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and blacklisting use the options in the Client-based Sessions section of the Sessions global service.</em>",
"propertyOrder" : 3850,
"required" : true,
"type" : "string"
},
"authenticationSessionsWhitelist" : {
"title" : "Enable whitelisting",
"description" : "Enables explicit whitelisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.",
"propertyOrder" : 3860,
"required" : true,
"type" : "boolean"
},
"authenticationSessionsMaxDuration" : {
"title" : "Max duration (minutes)",
"description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.",
"propertyOrder" : 3860,
"required" : true,
"type" : "integer"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : -1,
"properties" : {
"adminAuthModule" : {
"title" : "Administrator Authentication Configuration",
"description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"orgConfig" : {
"title" : "Organization Authentication Configuration",
"description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
},
"accountlockout" : {
"type" : "object",
"title" : "Account Lockout",
"propertyOrder" : 2,
"properties" : {
"storeInvalidAttemptsInDataStore" : {
"title" : "Store Invalid Attempts in Data Store",
"description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"lockoutDuration" : {
"title" : "Login Failure Lockout Duration",
"description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
"propertyOrder" : 1300,
"required" : true,
"type" : "integer"
},
"lockoutWarnUserCount" : {
"title" : "Warn User After N Failures",
"description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"invalidAttemptsDataAttributeName" : {
"title" : "Invalid Attempts Data Attribute Name",
"description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"lockoutAttributeName" : {
"title" : "Lockout Attribute Name",
"description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"loginFailureCount" : {
"title" : "Login Failure Lockout Count",
"description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"lockoutEmailAddress" : {
"title" : "Email Address to Send Lockout Notification",
"description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"lockoutDurationMultiplier" : {
"title" : "Lockout Duration Multiplier",
"description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"loginFailureLockoutMode" : {
"title" : "Login Failure Lockout Mode",
"description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"lockoutAttributeValue" : {
"title" : "Lockout Attribute Value",
"description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"loginFailureDuration" : {
"title" : "Login Failure Lockout Interval",
"description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
}
}
},
"postauthprocess" : {
"type" : "object",
"title" : "Post Authentication Processing",
"propertyOrder" : 6,
"properties" : {
"loginSuccessUrl" : {
"title" : "Default Success Login URL",
"description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Default Failure Login URL ",
"description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
"propertyOrder" : 1900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usernameGeneratorClass" : {
"title" : "Pluggable User Name Generator Class",
"description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"usernameGeneratorEnabled" : {
"title" : "Generate UserID Mode",
"description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
"propertyOrder" : 2000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userAttributeSessionMapping" : {
"title" : "User Attribute Mapping to Session Attribute",
"description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
"propertyOrder" : 3000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"security" : {
"type" : "object",
"title" : "Security",
"propertyOrder" : 5,
"properties" : {
"zeroPageLoginReferrerWhiteList" : {
"title" : "Zero Page Login Referer Whitelist",
"description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
"propertyOrder" : 3600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"keyAlias" : {
"title" : "Persistent Cookie Encryption Certificate Alias",
"description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"zeroPageLoginEnabled" : {
"title" : "Zero Page Login",
"description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
"propertyOrder" : 3400,
"required" : true,
"type" : "boolean"
},
"sharedSecret" : {
"title" : "Organization Authentication Signing Secret",
"description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string",
"format" : "password"
},
"moduleBasedAuthEnabled" : {
"title" : "Module Based Authentication",
"description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"zeroPageLoginAllowedWithoutReferrer" : {
"title" : "Zero Page Login Allowed without Referer?",
"description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
}
}
},
"userprofile" : {
"type" : "object",
"title" : "User Profile",
"propertyOrder" : 0,
"properties" : {
"defaultRole" : {
"title" : "User Profile Dynamic Creation Default Roles",
"description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"dynamicProfileCreation" : {
"title" : "User Profile",
"description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"aliasAttributeName" : {
"title" : "Alias Search Attribute Name",
"description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/authentication/authenticationtrees
1.0
Sub-path parent for all authentication tree configuration.
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes
1.0
Auth Tree Nodes
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes/AccountLockoutNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"lockAction" : {
"title" : "Lock Action",
"description" : "If the action is set to LOCK, the node will lock the account.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "lockAction" ]
}
/realm-config/authentication/authenticationtrees/nodes/AccountLockoutNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"lockAction" : {
"title" : "Lock Action",
"description" : "If the action is set to LOCK, the node will lock the account.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "lockAction" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"lockAction" : {
"title" : "Lock Action",
"description" : "If the action is set to LOCK, the node will lock the account.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "lockAction" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"lockAction" : {
"title" : "Lock Action",
"description" : "If the action is set to LOCK, the node will lock the account.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "lockAction" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"lockAction" : {
"title" : "Lock Action",
"description" : "If the action is set to LOCK, the node will lock the account.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "lockAction" ]
}
/realm-config/authentication/authenticationtrees/nodes/AnonymousUserNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User Name",
"description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "anonymousUserName" ]
}
/realm-config/authentication/authenticationtrees/nodes/AnonymousUserNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User Name",
"description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "anonymousUserName" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User Name",
"description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "anonymousUserName" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User Name",
"description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "anonymousUserName" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"anonymousUserName" : {
"title" : "Anonymous User Name",
"description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "anonymousUserName" ]
}
/realm-config/authentication/authenticationtrees/nodes/AuthLevelDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelRequirement" : {
"title" : "Sufficient Authentication Level",
"description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelRequirement" ]
}
/realm-config/authentication/authenticationtrees/nodes/AuthLevelDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelRequirement" : {
"title" : "Sufficient Authentication Level",
"description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelRequirement" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelRequirement" : {
"title" : "Sufficient Authentication Level",
"description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelRequirement" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelRequirement" : {
"title" : "Sufficient Authentication Level",
"description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelRequirement" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelRequirement" : {
"title" : "Sufficient Authentication Level",
"description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelRequirement" ]
}
/realm-config/authentication/authenticationtrees/nodes/ChoiceCollectorNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"choices" : {
"title" : "Choices",
"description" : "List of values that represents the choices for the user",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"prompt" : {
"title" : "Prompt",
"description" : "Prompt displayed on the choice page",
"propertyOrder" : 300,
"type" : "string"
},
"defaultChoice" : {
"title" : "Default Choice",
"description" : "The default selected choice value",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "defaultChoice", "prompt", "choices" ]
}
/realm-config/authentication/authenticationtrees/nodes/ChoiceCollectorNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"choices" : {
"title" : "Choices",
"description" : "List of values that represents the choices for the user",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"prompt" : {
"title" : "Prompt",
"description" : "Prompt displayed on the choice page",
"propertyOrder" : 300,
"type" : "string"
},
"defaultChoice" : {
"title" : "Default Choice",
"description" : "The default selected choice value",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "defaultChoice", "prompt", "choices" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"choices" : {
"title" : "Choices",
"description" : "List of values that represents the choices for the user",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"prompt" : {
"title" : "Prompt",
"description" : "Prompt displayed on the choice page",
"propertyOrder" : 300,
"type" : "string"
},
"defaultChoice" : {
"title" : "Default Choice",
"description" : "The default selected choice value",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "defaultChoice", "prompt", "choices" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"choices" : {
"title" : "Choices",
"description" : "List of values that represents the choices for the user",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"prompt" : {
"title" : "Prompt",
"description" : "Prompt displayed on the choice page",
"propertyOrder" : 300,
"type" : "string"
},
"defaultChoice" : {
"title" : "Default Choice",
"description" : "The default selected choice value",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "defaultChoice", "prompt", "choices" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"choices" : {
"title" : "Choices",
"description" : "List of values that represents the choices for the user",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"prompt" : {
"title" : "Prompt",
"description" : "Prompt displayed on the choice page",
"propertyOrder" : 300,
"type" : "string"
},
"defaultChoice" : {
"title" : "Default Choice",
"description" : "The default selected choice value",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "defaultChoice", "prompt", "choices" ]
}
/realm-config/authentication/authenticationtrees/nodes/CreatePasswordNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minPasswordLength" : {
"title" : "minPasswordLength",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "minPasswordLength" ]
}
/realm-config/authentication/authenticationtrees/nodes/CreatePasswordNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minPasswordLength" : {
"title" : "minPasswordLength",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "minPasswordLength" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minPasswordLength" : {
"title" : "minPasswordLength",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "minPasswordLength" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minPasswordLength" : {
"title" : "minPasswordLength",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "minPasswordLength" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minPasswordLength" : {
"title" : "minPasswordLength",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "minPasswordLength" ]
}
/realm-config/authentication/authenticationtrees/nodes/DataStoreDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes/DataStoreDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
/realm-config/authentication/authenticationtrees/nodes/InnerTreeEvaluatorNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"tree" : {
"title" : "Tree Name",
"description" : "The name of the tree that will be evaluated.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "tree" ]
}
/realm-config/authentication/authenticationtrees/nodes/InnerTreeEvaluatorNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"tree" : {
"title" : "Tree Name",
"description" : "The name of the tree that will be evaluated.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "tree" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"tree" : {
"title" : "Tree Name",
"description" : "The name of the tree that will be evaluated.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "tree" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"tree" : {
"title" : "Tree Name",
"description" : "The name of the tree that will be evaluated.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "tree" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"tree" : {
"title" : "Tree Name",
"description" : "The name of the tree that will be evaluated.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "tree" ]
}
/realm-config/authentication/authenticationtrees/nodes/LdapDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1500,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string"
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
"propertyOrder" : 1700,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer"
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string"
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer"
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
"propertyOrder" : 1800,
"type" : "integer"
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> <code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string"
},
"beheraEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1400,
"type" : "boolean"
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string"
},
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean"
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
}
},
"required" : [ "searchScope", "accountSearchBaseDn", "ldapOperationsTimeout", "beheraEnabled", "userProfileAttribute", "adminPassword", "heartbeatTimeUnit", "secondaryServers", "adminDn", "minimumPasswordLength", "searchFilterAttributes", "returnUserDn", "ldapConnectionMode", "userCreationAttrs", "primaryServers", "heartbeatInterval", "trustAllServerCertificates" ]
}
/realm-config/authentication/authenticationtrees/nodes/LdapDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1500,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string"
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
"propertyOrder" : 1700,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer"
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string"
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer"
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
"propertyOrder" : 1800,
"type" : "integer"
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> <code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string"
},
"beheraEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1400,
"type" : "boolean"
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string"
},
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean"
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
}
},
"required" : [ "searchScope", "accountSearchBaseDn", "ldapOperationsTimeout", "beheraEnabled", "userProfileAttribute", "adminPassword", "heartbeatTimeUnit", "secondaryServers", "adminDn", "minimumPasswordLength", "searchFilterAttributes", "returnUserDn", "ldapConnectionMode", "userCreationAttrs", "primaryServers", "heartbeatInterval", "trustAllServerCertificates" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1500,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string"
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
"propertyOrder" : 1700,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer"
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string"
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer"
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
"propertyOrder" : 1800,
"type" : "integer"
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> <code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string"
},
"beheraEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1400,
"type" : "boolean"
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string"
},
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean"
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
}
},
"required" : [ "searchScope", "accountSearchBaseDn", "ldapOperationsTimeout", "beheraEnabled", "userProfileAttribute", "adminPassword", "heartbeatTimeUnit", "secondaryServers", "adminDn", "minimumPasswordLength", "searchFilterAttributes", "returnUserDn", "ldapConnectionMode", "userCreationAttrs", "primaryServers", "heartbeatInterval", "trustAllServerCertificates" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1500,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string"
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
"propertyOrder" : 1700,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer"
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string"
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer"
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
"propertyOrder" : 1800,
"type" : "integer"
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> <code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string"
},
"beheraEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1400,
"type" : "boolean"
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string"
},
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean"
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
}
},
"required" : [ "searchScope", "accountSearchBaseDn", "ldapOperationsTimeout", "beheraEnabled", "userProfileAttribute", "adminPassword", "heartbeatTimeUnit", "secondaryServers", "adminDn", "minimumPasswordLength", "searchFilterAttributes", "returnUserDn", "ldapConnectionMode", "userCreationAttrs", "primaryServers", "heartbeatInterval", "trustAllServerCertificates" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1500,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string"
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
"propertyOrder" : 1700,
"type" : "string"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer"
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string"
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer"
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
"propertyOrder" : 1800,
"type" : "integer"
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array"
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> <code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string"
},
"beheraEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1400,
"type" : "boolean"
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string"
},
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean"
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
}
},
"required" : [ "searchScope", "accountSearchBaseDn", "ldapOperationsTimeout", "beheraEnabled", "userProfileAttribute", "adminPassword", "heartbeatTimeUnit", "secondaryServers", "adminDn", "minimumPasswordLength", "searchFilterAttributes", "returnUserDn", "ldapConnectionMode", "userCreationAttrs", "primaryServers", "heartbeatInterval", "trustAllServerCertificates" ]
}
/realm-config/authentication/authenticationtrees/nodes/MeterNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "metricKey" ]
}
/realm-config/authentication/authenticationtrees/nodes/MeterNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "metricKey" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "metricKey" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "metricKey" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "metricKey" ]
}
/realm-config/authentication/authenticationtrees/nodes/ModifyAuthLevelNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelIncrement" : {
"title" : "Value To Add",
"description" : "Value which is added to the authentication level.Value may be negative to decrease the authentication level.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelIncrement" ]
}
/realm-config/authentication/authenticationtrees/nodes/ModifyAuthLevelNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelIncrement" : {
"title" : "Value To Add",
"description" : "Value which is added to the authentication level.Value may be negative to decrease the authentication level.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelIncrement" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelIncrement" : {
"title" : "Value To Add",
"description" : "Value which is added to the authentication level.Value may be negative to decrease the authentication level.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelIncrement" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelIncrement" : {
"title" : "Value To Add",
"description" : "Value which is added to the authentication level.Value may be negative to decrease the authentication level.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelIncrement" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authLevelIncrement" : {
"title" : "Value To Add",
"description" : "Value which is added to the authentication level.Value may be negative to decrease the authentication level.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "authLevelIncrement" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordCollectorDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"passwordExpiryTime" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period in minutes.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "passwordExpiryTime" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordCollectorDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"passwordExpiryTime" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period in minutes.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "passwordExpiryTime" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"passwordExpiryTime" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period in minutes.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "passwordExpiryTime" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"passwordExpiryTime" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period in minutes.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "passwordExpiryTime" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"passwordExpiryTime" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period in minutes.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "passwordExpiryTime" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordGeneratorNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"length" : {
"title" : "One Time Password Length",
"description" : "The length in characters of the one time password.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "length" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordGeneratorNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"length" : {
"title" : "One Time Password Length",
"description" : "The length in characters of the one time password.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "length" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"length" : {
"title" : "One Time Password Length",
"description" : "The length in characters of the one time password.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "length" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"length" : {
"title" : "One Time Password Length",
"description" : "The length in characters of the one time password.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "length" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"length" : {
"title" : "One Time Password Length",
"description" : "The length in characters of the one time password.",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "length" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordSmsSenderNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"mobilePhoneAttributeName" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message.",
"propertyOrder" : 1100,
"type" : "string"
},
"mobileCarrierAttributeName" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages.",
"propertyOrder" : 1200,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP SMS Sender node uses this class to send SMS messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
}
},
"required" : [ "password", "hostName", "smsGatewayImplementationClass", "sslOption", "username", "fromEmailAddress", "hostPort", "mobilePhoneAttributeName" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordSmsSenderNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"mobilePhoneAttributeName" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message.",
"propertyOrder" : 1100,
"type" : "string"
},
"mobileCarrierAttributeName" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages.",
"propertyOrder" : 1200,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP SMS Sender node uses this class to send SMS messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
}
},
"required" : [ "password", "hostName", "smsGatewayImplementationClass", "sslOption", "username", "fromEmailAddress", "hostPort", "mobilePhoneAttributeName" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"mobilePhoneAttributeName" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message.",
"propertyOrder" : 1100,
"type" : "string"
},
"mobileCarrierAttributeName" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages.",
"propertyOrder" : 1200,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP SMS Sender node uses this class to send SMS messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
}
},
"required" : [ "password", "hostName", "smsGatewayImplementationClass", "sslOption", "username", "fromEmailAddress", "hostPort", "mobilePhoneAttributeName" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"mobilePhoneAttributeName" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message.",
"propertyOrder" : 1100,
"type" : "string"
},
"mobileCarrierAttributeName" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages.",
"propertyOrder" : 1200,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP SMS Sender node uses this class to send SMS messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
}
},
"required" : [ "password", "hostName", "smsGatewayImplementationClass", "sslOption", "username", "fromEmailAddress", "hostPort", "mobilePhoneAttributeName" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"mobilePhoneAttributeName" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message.",
"propertyOrder" : 1100,
"type" : "string"
},
"mobileCarrierAttributeName" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages.",
"propertyOrder" : 1200,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP SMS Sender node uses this class to send SMS messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
}
},
"required" : [ "password", "hostName", "smsGatewayImplementationClass", "sslOption", "username", "fromEmailAddress", "hostPort", "mobilePhoneAttributeName" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordSmtpSenderNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"emailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP Sender to email the user",
"propertyOrder" : 1100,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP Email Sender node uses this class to send email messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
}
},
"required" : [ "hostPort", "hostName", "emailAttribute", "sslOption", "username", "smsGatewayImplementationClass", "fromEmailAddress", "password" ]
}
/realm-config/authentication/authenticationtrees/nodes/OneTimePasswordSmtpSenderNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"emailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP Sender to email the user",
"propertyOrder" : 1100,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP Email Sender node uses this class to send email messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
}
},
"required" : [ "hostPort", "hostName", "emailAttribute", "sslOption", "username", "smsGatewayImplementationClass", "fromEmailAddress", "password" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"emailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP Sender to email the user",
"propertyOrder" : 1100,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP Email Sender node uses this class to send email messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
}
},
"required" : [ "hostPort", "hostName", "emailAttribute", "sslOption", "username", "smsGatewayImplementationClass", "fromEmailAddress", "password" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"emailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP Sender to email the user",
"propertyOrder" : 1100,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP Email Sender node uses this class to send email messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
}
},
"required" : [ "hostPort", "hostName", "emailAttribute", "sslOption", "username", "smsGatewayImplementationClass", "fromEmailAddress", "password" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server. The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 300,
"type" : "integer"
},
"emailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP Sender to email the user",
"propertyOrder" : 1100,
"type" : "string"
},
"sslOption" : {
"title" : "Mail Server Secure Connection",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS.",
"propertyOrder" : 2100,
"type" : "string"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use when the mail server is using SMTP authentication",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"fromEmailAddress" : {
"title" : "Email From Address",
"description" : "Emails from the OTP Email Sender node will come from this address.",
"propertyOrder" : 600,
"type" : "string"
},
"hostName" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server OpenAM will use to send the messages.",
"propertyOrder" : 200,
"type" : "string"
},
"smsGatewayImplementationClass" : {
"title" : "Gateway Implementation Class",
"description" : "The OTP Email Sender node uses this class to send email messages. <br><br>The gateway class must implement the following interface: <br><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 2200,
"type" : "string"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use when the mail server is using SMTP authentication",
"propertyOrder" : 400,
"type" : "string"
}
},
"required" : [ "hostPort", "hostName", "emailAttribute", "sslOption", "username", "smsGatewayImplementationClass", "fromEmailAddress", "password" ]
}
/realm-config/authentication/authenticationtrees/nodes/PageNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Authentication tree Page Node",
"type" : "object",
"title" : "Page Node",
"properties" : {
"nodes" : {
"type" : "array",
"title" : "Page Nodes",
"description" : "The child nodes, in the order they are returned to the authentication client",
"items" : {
"type" : "object",
"title" : "Child Node",
"description" : "A node that is used in the page",
"properties" : {
"id" : {
"type" : "string",
"title" : "Node ID",
"description" : "ID of the child node"
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "The display name of the child node"
},
"nodeType" : {
"type" : "string",
"title" : "Node type",
"description" : "The type of the child node"
}
}
}
}
},
"required" : [ "nodes" ]
}
/realm-config/authentication/authenticationtrees/nodes/PageNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Authentication tree Page Node",
"type" : "object",
"title" : "Page Node",
"properties" : {
"nodes" : {
"type" : "array",
"title" : "Page Nodes",
"description" : "The child nodes, in the order they are returned to the authentication client",
"items" : {
"type" : "object",
"title" : "Child Node",
"description" : "A node that is used in the page",
"properties" : {
"id" : {
"type" : "string",
"title" : "Node ID",
"description" : "ID of the child node"
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "The display name of the child node"
},
"nodeType" : {
"type" : "string",
"title" : "Node type",
"description" : "The type of the child node"
}
}
}
}
},
"required" : [ "nodes" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Authentication tree Page Node",
"type" : "object",
"title" : "Page Node",
"properties" : {
"nodes" : {
"type" : "array",
"title" : "Page Nodes",
"description" : "The child nodes, in the order they are returned to the authentication client",
"items" : {
"type" : "object",
"title" : "Child Node",
"description" : "A node that is used in the page",
"properties" : {
"id" : {
"type" : "string",
"title" : "Node ID",
"description" : "ID of the child node"
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "The display name of the child node"
},
"nodeType" : {
"type" : "string",
"title" : "Node type",
"description" : "The type of the child node"
}
}
}
}
},
"required" : [ "nodes" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Authentication tree Page Node",
"type" : "object",
"title" : "Page Node",
"properties" : {
"nodes" : {
"type" : "array",
"title" : "Page Nodes",
"description" : "The child nodes, in the order they are returned to the authentication client",
"items" : {
"type" : "object",
"title" : "Child Node",
"description" : "A node that is used in the page",
"properties" : {
"id" : {
"type" : "string",
"title" : "Node ID",
"description" : "ID of the child node"
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "The display name of the child node"
},
"nodeType" : {
"type" : "string",
"title" : "Node type",
"description" : "The type of the child node"
}
}
}
}
},
"required" : [ "nodes" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Authentication tree Page Node",
"type" : "object",
"title" : "Page Node",
"properties" : {
"nodes" : {
"type" : "array",
"title" : "Page Nodes",
"description" : "The child nodes, in the order they are returned to the authentication client",
"items" : {
"type" : "object",
"title" : "Child Node",
"description" : "A node that is used in the page",
"properties" : {
"id" : {
"type" : "string",
"title" : "Node ID",
"description" : "ID of the child node"
},
"displayName" : {
"type" : "string",
"title" : "Display name",
"description" : "The display name of the child node"
},
"nodeType" : {
"type" : "string",
"title" : "Node type",
"description" : "The type of the child node"
}
}
}
}
},
"required" : [ "nodes" ]
}
/realm-config/authentication/authenticationtrees/nodes/PasswordCollectorNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes/PasswordCollectorNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
/realm-config/authentication/authenticationtrees/nodes/PersistentCookieDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enforceClientIp" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 200,
"type" : "boolean"
},
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "The name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "hmacSigningKey", "useHttpOnlyCookie", "enforceClientIp", "idleTimeout", "useSecureCookie" ]
}
/realm-config/authentication/authenticationtrees/nodes/PersistentCookieDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enforceClientIp" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 200,
"type" : "boolean"
},
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "The name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "hmacSigningKey", "useHttpOnlyCookie", "enforceClientIp", "idleTimeout", "useSecureCookie" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enforceClientIp" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 200,
"type" : "boolean"
},
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "The name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "hmacSigningKey", "useHttpOnlyCookie", "enforceClientIp", "idleTimeout", "useSecureCookie" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enforceClientIp" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 200,
"type" : "boolean"
},
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "The name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "hmacSigningKey", "useHttpOnlyCookie", "enforceClientIp", "idleTimeout", "useSecureCookie" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enforceClientIp" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 200,
"type" : "boolean"
},
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "The name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "hmacSigningKey", "useHttpOnlyCookie", "enforceClientIp", "idleTimeout", "useSecureCookie" ]
}
/realm-config/authentication/authenticationtrees/nodes/PollingWaitNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"waitingMessage" : {
"title" : "Waiting Message",
"description" : "Localisation overrides for the waiting message. May use {{time}} to get the number of seconds remaining. This is a map of locale to message.",
"propertyOrder" : 400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"secondsToWait" : {
"title" : "Seconds To Wait",
"description" : "How many seconds to wait before proceeding to the next node in the tree.",
"propertyOrder" : 100,
"type" : "integer"
},
"spamDetectionEnabled" : {
"title" : "Enable Spam Detection",
"description" : "Choose whether spam detection is enforced for this node. Creates a new outcome.",
"propertyOrder" : 200,
"type" : "boolean"
},
"spamDetectionTolerance" : {
"title" : "Spam Tolerance",
"description" : "How many times a user may resubmit to this node before the authentication is failed.",
"propertyOrder" : 300,
"type" : "integer"
},
"exitable" : {
"title" : "Exitable",
"description" : "Choose whether to display a link which allows the user to leave the node early. Creates a new outcome.",
"propertyOrder" : 500,
"type" : "boolean"
},
"exitMessage" : {
"title" : "Exit Message",
"description" : "Localisation overrides for the exit message. The whole string will be displayed as a link. This is a map of locale to message.",
"propertyOrder" : 600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "exitMessage", "waitingMessage", "exitable", "spamDetectionTolerance", "secondsToWait", "spamDetectionEnabled" ]
}
/realm-config/authentication/authenticationtrees/nodes/PollingWaitNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"waitingMessage" : {
"title" : "Waiting Message",
"description" : "Localisation overrides for the waiting message. May use {{time}} to get the number of seconds remaining. This is a map of locale to message.",
"propertyOrder" : 400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"secondsToWait" : {
"title" : "Seconds To Wait",
"description" : "How many seconds to wait before proceeding to the next node in the tree.",
"propertyOrder" : 100,
"type" : "integer"
},
"spamDetectionEnabled" : {
"title" : "Enable Spam Detection",
"description" : "Choose whether spam detection is enforced for this node. Creates a new outcome.",
"propertyOrder" : 200,
"type" : "boolean"
},
"spamDetectionTolerance" : {
"title" : "Spam Tolerance",
"description" : "How many times a user may resubmit to this node before the authentication is failed.",
"propertyOrder" : 300,
"type" : "integer"
},
"exitable" : {
"title" : "Exitable",
"description" : "Choose whether to display a link which allows the user to leave the node early. Creates a new outcome.",
"propertyOrder" : 500,
"type" : "boolean"
},
"exitMessage" : {
"title" : "Exit Message",
"description" : "Localisation overrides for the exit message. The whole string will be displayed as a link. This is a map of locale to message.",
"propertyOrder" : 600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "exitMessage", "waitingMessage", "exitable", "spamDetectionTolerance", "secondsToWait", "spamDetectionEnabled" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"waitingMessage" : {
"title" : "Waiting Message",
"description" : "Localisation overrides for the waiting message. May use {{time}} to get the number of seconds remaining. This is a map of locale to message.",
"propertyOrder" : 400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"secondsToWait" : {
"title" : "Seconds To Wait",
"description" : "How many seconds to wait before proceeding to the next node in the tree.",
"propertyOrder" : 100,
"type" : "integer"
},
"spamDetectionEnabled" : {
"title" : "Enable Spam Detection",
"description" : "Choose whether spam detection is enforced for this node. Creates a new outcome.",
"propertyOrder" : 200,
"type" : "boolean"
},
"spamDetectionTolerance" : {
"title" : "Spam Tolerance",
"description" : "How many times a user may resubmit to this node before the authentication is failed.",
"propertyOrder" : 300,
"type" : "integer"
},
"exitable" : {
"title" : "Exitable",
"description" : "Choose whether to display a link which allows the user to leave the node early. Creates a new outcome.",
"propertyOrder" : 500,
"type" : "boolean"
},
"exitMessage" : {
"title" : "Exit Message",
"description" : "Localisation overrides for the exit message. The whole string will be displayed as a link. This is a map of locale to message.",
"propertyOrder" : 600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "exitMessage", "waitingMessage", "exitable", "spamDetectionTolerance", "secondsToWait", "spamDetectionEnabled" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"waitingMessage" : {
"title" : "Waiting Message",
"description" : "Localisation overrides for the waiting message. May use {{time}} to get the number of seconds remaining. This is a map of locale to message.",
"propertyOrder" : 400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"secondsToWait" : {
"title" : "Seconds To Wait",
"description" : "How many seconds to wait before proceeding to the next node in the tree.",
"propertyOrder" : 100,
"type" : "integer"
},
"spamDetectionEnabled" : {
"title" : "Enable Spam Detection",
"description" : "Choose whether spam detection is enforced for this node. Creates a new outcome.",
"propertyOrder" : 200,
"type" : "boolean"
},
"spamDetectionTolerance" : {
"title" : "Spam Tolerance",
"description" : "How many times a user may resubmit to this node before the authentication is failed.",
"propertyOrder" : 300,
"type" : "integer"
},
"exitable" : {
"title" : "Exitable",
"description" : "Choose whether to display a link which allows the user to leave the node early. Creates a new outcome.",
"propertyOrder" : 500,
"type" : "boolean"
},
"exitMessage" : {
"title" : "Exit Message",
"description" : "Localisation overrides for the exit message. The whole string will be displayed as a link. This is a map of locale to message.",
"propertyOrder" : 600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "exitMessage", "waitingMessage", "exitable", "spamDetectionTolerance", "secondsToWait", "spamDetectionEnabled" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"waitingMessage" : {
"title" : "Waiting Message",
"description" : "Localisation overrides for the waiting message. May use {{time}} to get the number of seconds remaining. This is a map of locale to message.",
"propertyOrder" : 400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"secondsToWait" : {
"title" : "Seconds To Wait",
"description" : "How many seconds to wait before proceeding to the next node in the tree.",
"propertyOrder" : 100,
"type" : "integer"
},
"spamDetectionEnabled" : {
"title" : "Enable Spam Detection",
"description" : "Choose whether spam detection is enforced for this node. Creates a new outcome.",
"propertyOrder" : 200,
"type" : "boolean"
},
"spamDetectionTolerance" : {
"title" : "Spam Tolerance",
"description" : "How many times a user may resubmit to this node before the authentication is failed.",
"propertyOrder" : 300,
"type" : "integer"
},
"exitable" : {
"title" : "Exitable",
"description" : "Choose whether to display a link which allows the user to leave the node early. Creates a new outcome.",
"propertyOrder" : 500,
"type" : "boolean"
},
"exitMessage" : {
"title" : "Exit Message",
"description" : "Localisation overrides for the exit message. The whole string will be displayed as a link. This is a map of locale to message.",
"propertyOrder" : 600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "exitMessage", "waitingMessage", "exitable", "spamDetectionTolerance", "secondsToWait", "spamDetectionEnabled" ]
}
/realm-config/authentication/authenticationtrees/nodes/ProvisionDynamicAccountNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
/realm-config/authentication/authenticationtrees/nodes/ProvisionDynamicAccountNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
/realm-config/authentication/authenticationtrees/nodes/ProvisionIdmAccountNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
/realm-config/authentication/authenticationtrees/nodes/ProvisionIdmAccountNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider Class",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "accountProviderClass" ]
}
/realm-config/authentication/authenticationtrees/nodes/PushAuthenticationSenderNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageTimeout" : {
"title" : "Message Timeout",
"description" : "The duration (in ms) that the message will time out after.",
"propertyOrder" : 100,
"type" : "integer"
},
"mandatory" : {
"title" : "Remove 'skip' option",
"description" : "If checked, users will no longer be able to skip the module, and must interact with it.",
"propertyOrder" : 300,
"type" : "boolean"
},
"userMessage" : {
"title" : "User Message",
"description" : "The message to send to the user. {{user}} and {{issuer}} may be used as wildcards.",
"propertyOrder" : 200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "mandatory", "userMessage", "messageTimeout" ]
}
/realm-config/authentication/authenticationtrees/nodes/PushAuthenticationSenderNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageTimeout" : {
"title" : "Message Timeout",
"description" : "The duration (in ms) that the message will time out after.",
"propertyOrder" : 100,
"type" : "integer"
},
"mandatory" : {
"title" : "Remove 'skip' option",
"description" : "If checked, users will no longer be able to skip the module, and must interact with it.",
"propertyOrder" : 300,
"type" : "boolean"
},
"userMessage" : {
"title" : "User Message",
"description" : "The message to send to the user. {{user}} and {{issuer}} may be used as wildcards.",
"propertyOrder" : 200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "mandatory", "userMessage", "messageTimeout" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageTimeout" : {
"title" : "Message Timeout",
"description" : "The duration (in ms) that the message will time out after.",
"propertyOrder" : 100,
"type" : "integer"
},
"mandatory" : {
"title" : "Remove 'skip' option",
"description" : "If checked, users will no longer be able to skip the module, and must interact with it.",
"propertyOrder" : 300,
"type" : "boolean"
},
"userMessage" : {
"title" : "User Message",
"description" : "The message to send to the user. {{user}} and {{issuer}} may be used as wildcards.",
"propertyOrder" : 200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "mandatory", "userMessage", "messageTimeout" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageTimeout" : {
"title" : "Message Timeout",
"description" : "The duration (in ms) that the message will time out after.",
"propertyOrder" : 100,
"type" : "integer"
},
"mandatory" : {
"title" : "Remove 'skip' option",
"description" : "If checked, users will no longer be able to skip the module, and must interact with it.",
"propertyOrder" : 300,
"type" : "boolean"
},
"userMessage" : {
"title" : "User Message",
"description" : "The message to send to the user. {{user}} and {{issuer}} may be used as wildcards.",
"propertyOrder" : 200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "mandatory", "userMessage", "messageTimeout" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"messageTimeout" : {
"title" : "Message Timeout",
"description" : "The duration (in ms) that the message will time out after.",
"propertyOrder" : 100,
"type" : "integer"
},
"mandatory" : {
"title" : "Remove 'skip' option",
"description" : "If checked, users will no longer be able to skip the module, and must interact with it.",
"propertyOrder" : 300,
"type" : "boolean"
},
"userMessage" : {
"title" : "User Message",
"description" : "The message to send to the user. {{user}} and {{issuer}} may be used as wildcards.",
"propertyOrder" : 200,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "mandatory", "userMessage", "messageTimeout" ]
}
/realm-config/authentication/authenticationtrees/nodes/PushResultVerifierNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes/PushResultVerifierNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
/realm-config/authentication/authenticationtrees/nodes/RecoveryCodeCollectorDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"recoveryCodeType" : {
"title" : "Recovery Code Type",
"description" : "Determines which type of recovery codes are going to be validated for the user.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "recoveryCodeType" ]
}
/realm-config/authentication/authenticationtrees/nodes/RecoveryCodeCollectorDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"recoveryCodeType" : {
"title" : "Recovery Code Type",
"description" : "Determines which type of recovery codes are going to be validated for the user.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "recoveryCodeType" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"recoveryCodeType" : {
"title" : "Recovery Code Type",
"description" : "Determines which type of recovery codes are going to be validated for the user.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "recoveryCodeType" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"recoveryCodeType" : {
"title" : "Recovery Code Type",
"description" : "Determines which type of recovery codes are going to be validated for the user.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "recoveryCodeType" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"recoveryCodeType" : {
"title" : "Recovery Code Type",
"description" : "Determines which type of recovery codes are going to be validated for the user.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "recoveryCodeType" ]
}
/realm-config/authentication/authenticationtrees/nodes/RegisterLogoutWebhookNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"webhookName" : {
"title" : "Webhook Name",
"description" : "The name of the webhook stored using the webhook service.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "webhookName" ]
}
/realm-config/authentication/authenticationtrees/nodes/RegisterLogoutWebhookNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"webhookName" : {
"title" : "Webhook Name",
"description" : "The name of the webhook stored using the webhook service.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "webhookName" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"webhookName" : {
"title" : "Webhook Name",
"description" : "The name of the webhook stored using the webhook service.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "webhookName" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"webhookName" : {
"title" : "Webhook Name",
"description" : "The name of the webhook stored using the webhook service.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "webhookName" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"webhookName" : {
"title" : "Webhook Name",
"description" : "The name of the webhook stored using the webhook service.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "webhookName" ]
}
/realm-config/authentication/authenticationtrees/nodes/RemoveSessionPropertiesNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"propertyNames" : {
"title" : "Property Names",
"description" : "The names of session properties to remove that may have been contributed by nodes that executedearlier in the tree. If the properties do not exist, no error will be thrown. Names are case sensitive.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "propertyNames" ]
}
/realm-config/authentication/authenticationtrees/nodes/RemoveSessionPropertiesNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"propertyNames" : {
"title" : "Property Names",
"description" : "The names of session properties to remove that may have been contributed by nodes that executedearlier in the tree. If the properties do not exist, no error will be thrown. Names are case sensitive.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "propertyNames" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"propertyNames" : {
"title" : "Property Names",
"description" : "The names of session properties to remove that may have been contributed by nodes that executedearlier in the tree. If the properties do not exist, no error will be thrown. Names are case sensitive.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "propertyNames" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"propertyNames" : {
"title" : "Property Names",
"description" : "The names of session properties to remove that may have been contributed by nodes that executedearlier in the tree. If the properties do not exist, no error will be thrown. Names are case sensitive.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "propertyNames" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"propertyNames" : {
"title" : "Property Names",
"description" : "The names of session properties to remove that may have been contributed by nodes that executedearlier in the tree. If the properties do not exist, no error will be thrown. Names are case sensitive.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "propertyNames" ]
}
/realm-config/authentication/authenticationtrees/nodes/RetryLimitDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"retryLimit" : {
"title" : "Retry Limit",
"description" : "The number of times to allow a retry",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "retryLimit" ]
}
/realm-config/authentication/authenticationtrees/nodes/RetryLimitDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"retryLimit" : {
"title" : "Retry Limit",
"description" : "The number of times to allow a retry",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "retryLimit" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"retryLimit" : {
"title" : "Retry Limit",
"description" : "The number of times to allow a retry",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "retryLimit" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"retryLimit" : {
"title" : "Retry Limit",
"description" : "The number of times to allow a retry",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "retryLimit" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"retryLimit" : {
"title" : "Retry Limit",
"description" : "The number of times to allow a retry",
"propertyOrder" : 100,
"type" : "integer"
}
},
"required" : [ "retryLimit" ]
}
/realm-config/authentication/authenticationtrees/nodes/ScriptedDecisionNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"script" : {
"title" : "Script",
"description" : "The script to evaluate.",
"propertyOrder" : 100,
"type" : "string"
},
"outcomes" : {
"title" : "Outcomes",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "script", "outcomes" ]
}
/realm-config/authentication/authenticationtrees/nodes/ScriptedDecisionNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"script" : {
"title" : "Script",
"description" : "The script to evaluate.",
"propertyOrder" : 100,
"type" : "string"
},
"outcomes" : {
"title" : "Outcomes",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "script", "outcomes" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"script" : {
"title" : "Script",
"description" : "The script to evaluate.",
"propertyOrder" : 100,
"type" : "string"
},
"outcomes" : {
"title" : "Outcomes",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "script", "outcomes" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"script" : {
"title" : "Script",
"description" : "The script to evaluate.",
"propertyOrder" : 100,
"type" : "string"
},
"outcomes" : {
"title" : "Outcomes",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "script", "outcomes" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"script" : {
"title" : "Script",
"description" : "The script to evaluate.",
"propertyOrder" : 100,
"type" : "string"
},
"outcomes" : {
"title" : "Outcomes",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "script", "outcomes" ]
}
/realm-config/authentication/authenticationtrees/nodes/SessionDataNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sharedStateKey" : {
"title" : "Shared State Key",
"propertyOrder" : 200,
"type" : "string"
},
"sessionDataKey" : {
"title" : "Session Data Key",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "sharedStateKey", "sessionDataKey" ]
}
/realm-config/authentication/authenticationtrees/nodes/SessionDataNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sharedStateKey" : {
"title" : "Shared State Key",
"propertyOrder" : 200,
"type" : "string"
},
"sessionDataKey" : {
"title" : "Session Data Key",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "sharedStateKey", "sessionDataKey" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sharedStateKey" : {
"title" : "Shared State Key",
"propertyOrder" : 200,
"type" : "string"
},
"sessionDataKey" : {
"title" : "Session Data Key",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "sharedStateKey", "sessionDataKey" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sharedStateKey" : {
"title" : "Shared State Key",
"propertyOrder" : 200,
"type" : "string"
},
"sessionDataKey" : {
"title" : "Session Data Key",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "sharedStateKey", "sessionDataKey" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sharedStateKey" : {
"title" : "Shared State Key",
"propertyOrder" : 200,
"type" : "string"
},
"sessionDataKey" : {
"title" : "Session Data Key",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "sharedStateKey", "sessionDataKey" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetFailureUrlNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"failureUrl" : {
"title" : "Failure URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "failureUrl" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetFailureUrlNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"failureUrl" : {
"title" : "Failure URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "failureUrl" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"failureUrl" : {
"title" : "Failure URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "failureUrl" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"failureUrl" : {
"title" : "Failure URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "failureUrl" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"failureUrl" : {
"title" : "Failure URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "failureUrl" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetPersistentCookieNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"type" : "integer"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "useHttpOnlyCookie", "maxLife", "hmacSigningKey", "idleTimeout", "useSecureCookie" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetPersistentCookieNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"type" : "integer"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "useHttpOnlyCookie", "maxLife", "hmacSigningKey", "idleTimeout", "useSecureCookie" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"type" : "integer"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "useHttpOnlyCookie", "maxLife", "hmacSigningKey", "idleTimeout", "useSecureCookie" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"type" : "integer"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "useHttpOnlyCookie", "maxLife", "hmacSigningKey", "idleTimeout", "useSecureCookie" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hmacSigningKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use Secure Cookie",
"description" : "Sets the persistent cookie as \"Secure\".",
"propertyOrder" : 300,
"type" : "boolean"
},
"useHttpOnlyCookie" : {
"title" : "Use HTTP Only Cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\".",
"propertyOrder" : 400,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"type" : "integer"
},
"persistentCookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie.",
"propertyOrder" : 600,
"type" : "string"
}
},
"required" : [ "persistentCookieName", "useHttpOnlyCookie", "maxLife", "hmacSigningKey", "idleTimeout", "useSecureCookie" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetSessionPropertiesNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"properties" : {
"title" : "Properties",
"description" : "The properties to set on the user's session if/when it is created.",
"propertyOrder" : 100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "properties" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetSessionPropertiesNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"properties" : {
"title" : "Properties",
"description" : "The properties to set on the user's session if/when it is created.",
"propertyOrder" : 100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "properties" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"properties" : {
"title" : "Properties",
"description" : "The properties to set on the user's session if/when it is created.",
"propertyOrder" : 100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "properties" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"properties" : {
"title" : "Properties",
"description" : "The properties to set on the user's session if/when it is created.",
"propertyOrder" : 100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "properties" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"properties" : {
"title" : "Properties",
"description" : "The properties to set on the user's session if/when it is created.",
"propertyOrder" : 100,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
},
"required" : [ "properties" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetSuccessUrlNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"successUrl" : {
"title" : "Success URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "successUrl" ]
}
/realm-config/authentication/authenticationtrees/nodes/SetSuccessUrlNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"successUrl" : {
"title" : "Success URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "successUrl" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"successUrl" : {
"title" : "Success URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "successUrl" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"successUrl" : {
"title" : "Success URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "successUrl" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"successUrl" : {
"title" : "Success URL",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "successUrl" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialFacebookNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "cfgAttributeMappingClasses", "cfgAttributeMappingConfiguration", "clientId", "tokenEndpoint", "provider", "saveUserAttributesToSession", "cfgMixUpMitigation", "clientSecret", "cfgAccountMapperConfiguration", "issuer", "userInfoEndpoint", "redirectURI", "cfgAccountMapperClass", "cfgAccountProviderClass", "authenticationIdKey", "scopeString", "authorizeEndpoint", "basicAuth" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialFacebookNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "cfgAttributeMappingClasses", "cfgAttributeMappingConfiguration", "clientId", "tokenEndpoint", "provider", "saveUserAttributesToSession", "cfgMixUpMitigation", "clientSecret", "cfgAccountMapperConfiguration", "issuer", "userInfoEndpoint", "redirectURI", "cfgAccountMapperClass", "cfgAccountProviderClass", "authenticationIdKey", "scopeString", "authorizeEndpoint", "basicAuth" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "cfgAttributeMappingClasses", "cfgAttributeMappingConfiguration", "clientId", "tokenEndpoint", "provider", "saveUserAttributesToSession", "cfgMixUpMitigation", "clientSecret", "cfgAccountMapperConfiguration", "issuer", "userInfoEndpoint", "redirectURI", "cfgAccountMapperClass", "cfgAccountProviderClass", "authenticationIdKey", "scopeString", "authorizeEndpoint", "basicAuth" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "cfgAttributeMappingClasses", "cfgAttributeMappingConfiguration", "clientId", "tokenEndpoint", "provider", "saveUserAttributesToSession", "cfgMixUpMitigation", "clientSecret", "cfgAccountMapperConfiguration", "issuer", "userInfoEndpoint", "redirectURI", "cfgAccountMapperClass", "cfgAccountProviderClass", "authenticationIdKey", "scopeString", "authorizeEndpoint", "basicAuth" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
}
},
"required" : [ "cfgAttributeMappingClasses", "cfgAttributeMappingConfiguration", "clientId", "tokenEndpoint", "provider", "saveUserAttributesToSession", "cfgMixUpMitigation", "clientSecret", "cfgAccountMapperConfiguration", "issuer", "userInfoEndpoint", "redirectURI", "cfgAccountMapperClass", "cfgAccountProviderClass", "authenticationIdKey", "scopeString", "authorizeEndpoint", "basicAuth" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialGoogleNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
}
},
"required" : [ "cfgAccountMapperConfiguration", "redirectURI", "cfgMixUpMitigation", "cfgAttributeMappingClasses", "cfgAccountProviderClass", "provider", "authenticationIdKey", "userInfoEndpoint", "clientId", "cfgAttributeMappingConfiguration", "authorizeEndpoint", "basicAuth", "tokenEndpoint", "clientSecret", "saveUserAttributesToSession", "issuer", "cfgAccountMapperClass", "scopeString" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialGoogleNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
}
},
"required" : [ "cfgAccountMapperConfiguration", "redirectURI", "cfgMixUpMitigation", "cfgAttributeMappingClasses", "cfgAccountProviderClass", "provider", "authenticationIdKey", "userInfoEndpoint", "clientId", "cfgAttributeMappingConfiguration", "authorizeEndpoint", "basicAuth", "tokenEndpoint", "clientSecret", "saveUserAttributesToSession", "issuer", "cfgAccountMapperClass", "scopeString" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
}
},
"required" : [ "cfgAccountMapperConfiguration", "redirectURI", "cfgMixUpMitigation", "cfgAttributeMappingClasses", "cfgAccountProviderClass", "provider", "authenticationIdKey", "userInfoEndpoint", "clientId", "cfgAttributeMappingConfiguration", "authorizeEndpoint", "basicAuth", "tokenEndpoint", "clientSecret", "saveUserAttributesToSession", "issuer", "cfgAccountMapperClass", "scopeString" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
}
},
"required" : [ "cfgAccountMapperConfiguration", "redirectURI", "cfgMixUpMitigation", "cfgAttributeMappingClasses", "cfgAccountProviderClass", "provider", "authenticationIdKey", "userInfoEndpoint", "clientId", "cfgAttributeMappingConfiguration", "authorizeEndpoint", "basicAuth", "tokenEndpoint", "clientSecret", "saveUserAttributesToSession", "issuer", "cfgAccountMapperClass", "scopeString" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1700,
"type" : "boolean"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 900,
"type" : "string"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1000,
"type" : "boolean"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1100,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1400,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1300,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1600,
"type" : "boolean"
},
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1800,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 700,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 800,
"type" : "string"
}
},
"required" : [ "cfgAccountMapperConfiguration", "redirectURI", "cfgMixUpMitigation", "cfgAttributeMappingClasses", "cfgAccountProviderClass", "provider", "authenticationIdKey", "userInfoEndpoint", "clientId", "cfgAttributeMappingConfiguration", "authorizeEndpoint", "basicAuth", "tokenEndpoint", "clientSecret", "saveUserAttributesToSession", "issuer", "cfgAccountMapperClass", "scopeString" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1900,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1300,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 900,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 1000,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 800,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1800,
"type" : "boolean"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1700,
"type" : "boolean"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1100,
"type" : "boolean"
}
},
"required" : [ "cfgAccountMapperClass", "authenticationIdKey", "cfgAccountProviderClass", "userInfoEndpoint", "saveUserAttributesToSession", "cfgAttributeMappingConfiguration", "cfgAttributeMappingClasses", "cfgAccountMapperConfiguration", "cfgMixUpMitigation", "provider", "basicAuth", "scopeString", "issuer", "authorizeEndpoint", "clientSecret", "scopeDelimiter", "clientId", "tokenEndpoint", "redirectURI" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1900,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1300,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 900,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 1000,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 800,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1800,
"type" : "boolean"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1700,
"type" : "boolean"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1100,
"type" : "boolean"
}
},
"required" : [ "cfgAccountMapperClass", "authenticationIdKey", "cfgAccountProviderClass", "userInfoEndpoint", "saveUserAttributesToSession", "cfgAttributeMappingConfiguration", "cfgAttributeMappingClasses", "cfgAccountMapperConfiguration", "cfgMixUpMitigation", "provider", "basicAuth", "scopeString", "issuer", "authorizeEndpoint", "clientSecret", "scopeDelimiter", "clientId", "tokenEndpoint", "redirectURI" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1900,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1300,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 900,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 1000,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 800,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1800,
"type" : "boolean"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1700,
"type" : "boolean"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1100,
"type" : "boolean"
}
},
"required" : [ "cfgAccountMapperClass", "authenticationIdKey", "cfgAccountProviderClass", "userInfoEndpoint", "saveUserAttributesToSession", "cfgAttributeMappingConfiguration", "cfgAttributeMappingClasses", "cfgAccountMapperConfiguration", "cfgMixUpMitigation", "provider", "basicAuth", "scopeString", "issuer", "authorizeEndpoint", "clientSecret", "scopeDelimiter", "clientId", "tokenEndpoint", "redirectURI" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1900,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1300,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 900,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 1000,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 800,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1800,
"type" : "boolean"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1700,
"type" : "boolean"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1100,
"type" : "boolean"
}
},
"required" : [ "cfgAccountMapperClass", "authenticationIdKey", "cfgAccountProviderClass", "userInfoEndpoint", "saveUserAttributesToSession", "cfgAttributeMappingConfiguration", "cfgAttributeMappingClasses", "cfgAccountMapperConfiguration", "cfgMixUpMitigation", "provider", "basicAuth", "scopeString", "issuer", "authorizeEndpoint", "clientSecret", "scopeDelimiter", "clientId", "tokenEndpoint", "redirectURI" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"issuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token e.g. accounts.google.com The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 1900,
"type" : "string"
},
"cfgAccountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search. This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM. The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface. Provided implementations are: <code>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper</code>(can only be used when using the openid scope) String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1300,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 900,
"type" : "string"
},
"scopeString" : {
"title" : "OAuth Scope",
"description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.",
"propertyOrder" : 600,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"type" : "string"
},
"clientId" : {
"title" : "Client ID",
"description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 100,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 700,
"type" : "string"
},
"cfgAttributeMappingConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: OAuth2.0_attribute=local_attribute",
"propertyOrder" : 1600,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2",
"propertyOrder" : 400,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1",
"propertyOrder" : 200,
"type" : "string",
"format" : "password"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response",
"propertyOrder" : 500,
"type" : "string"
},
"cfgAttributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided. A custom attribute mapper must implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface. Provided implementations are: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)",
"propertyOrder" : 1400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cfgAccountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider. This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface. String constructor parameters can be provided by appending | separated values.",
"propertyOrder" : 1200,
"type" : "string"
},
"authenticationIdKey" : {
"title" : "Auth ID Key",
"propertyOrder" : 1000,
"type" : "string"
},
"redirectURI" : {
"title" : "Redirect URL",
"propertyOrder" : 800,
"type" : "string"
},
"cfgAccountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"cfgMixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation Enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation The authorization server must support the OAuth 2.0 Mix-Up Mitigation draft (https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1), otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 1800,
"type" : "boolean"
},
"saveUserAttributesToSession" : {
"title" : "Save Attributes in the Session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1700,
"type" : "boolean"
},
"basicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1100,
"type" : "boolean"
}
},
"required" : [ "cfgAccountMapperClass", "authenticationIdKey", "cfgAccountProviderClass", "userInfoEndpoint", "saveUserAttributesToSession", "cfgAttributeMappingConfiguration", "cfgAttributeMappingClasses", "cfgAccountMapperConfiguration", "cfgMixUpMitigation", "provider", "basicAuth", "scopeString", "issuer", "authorizeEndpoint", "clientSecret", "scopeDelimiter", "clientId", "tokenEndpoint", "redirectURI" ]
}
/realm-config/authentication/authenticationtrees/nodes/SocialOAuthIgnoreProfileNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes/SocialOAuthIgnoreProfileNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
/realm-config/authentication/authenticationtrees/nodes/TimerStartNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property into which start time should be stored by this node.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "startTimeProperty" ]
}
/realm-config/authentication/authenticationtrees/nodes/TimerStartNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property into which start time should be stored by this node.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "startTimeProperty" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property into which start time should be stored by this node.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "startTimeProperty" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property into which start time should be stored by this node.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "startTimeProperty" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property into which start time should be stored by this node.",
"propertyOrder" : 100,
"type" : "string"
}
},
"required" : [ "startTimeProperty" ]
}
/realm-config/authentication/authenticationtrees/nodes/TimerStopNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property in which start time should have been stored by a \"Timer Start\" node.",
"propertyOrder" : 100,
"type" : "string"
},
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "metricKey", "startTimeProperty" ]
}
/realm-config/authentication/authenticationtrees/nodes/TimerStopNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property in which start time should have been stored by a \"Timer Start\" node.",
"propertyOrder" : 100,
"type" : "string"
},
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "metricKey", "startTimeProperty" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property in which start time should have been stored by a \"Timer Start\" node.",
"propertyOrder" : 100,
"type" : "string"
},
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "metricKey", "startTimeProperty" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property in which start time should have been stored by a \"Timer Start\" node.",
"propertyOrder" : 100,
"type" : "string"
},
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "metricKey", "startTimeProperty" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"startTimeProperty" : {
"title" : "Start Time Property",
"description" : "Identifier of property in which start time should have been stored by a \"Timer Start\" node.",
"propertyOrder" : 100,
"type" : "string"
},
"metricKey" : {
"title" : "Metric Key",
"description" : "Identifier of metric to update when this node is processed.",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "metricKey", "startTimeProperty" ]
}
/realm-config/authentication/authenticationtrees/nodes/UsernameCollectorNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/authentication/authenticationtrees/nodes/UsernameCollectorNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
/realm-config/authentication/authenticationtrees/nodes/ZeroPageLoginNode
1.0
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: listOutcomes
List the available outcomes for the node type.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"type" : "object",
"title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Outcome description",
"description" : "The (potentially) localised description of the outcome ID."
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A map where each key is an outcome ID mapping to a potentially localised description.",
"type" : "object",
"title" : "Outcomes"
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"usernameHeader" : {
"title" : "Username Header Name",
"propertyOrder" : 100,
"type" : "string"
},
"allowWithoutReferer" : {
"title" : "Allow Without Referer",
"propertyOrder" : 300,
"type" : "boolean"
},
"referrerWhiteList" : {
"title" : "Referer Whitelist",
"propertyOrder" : 400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"passwordHeader" : {
"title" : "Password Header Name",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "passwordHeader", "usernameHeader", "referrerWhiteList", "allowWithoutReferer" ]
}
/realm-config/authentication/authenticationtrees/nodes/ZeroPageLoginNode/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"usernameHeader" : {
"title" : "Username Header Name",
"propertyOrder" : 100,
"type" : "string"
},
"allowWithoutReferer" : {
"title" : "Allow Without Referer",
"propertyOrder" : 300,
"type" : "boolean"
},
"referrerWhiteList" : {
"title" : "Referer Whitelist",
"propertyOrder" : 400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"passwordHeader" : {
"title" : "Password Header Name",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "passwordHeader", "usernameHeader", "referrerWhiteList", "allowWithoutReferer" ]
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"usernameHeader" : {
"title" : "Username Header Name",
"propertyOrder" : 100,
"type" : "string"
},
"allowWithoutReferer" : {
"title" : "Allow Without Referer",
"propertyOrder" : 300,
"type" : "boolean"
},
"referrerWhiteList" : {
"title" : "Referer Whitelist",
"propertyOrder" : 400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"passwordHeader" : {
"title" : "Password Header Name",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "passwordHeader", "usernameHeader", "referrerWhiteList", "allowWithoutReferer" ]
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"usernameHeader" : {
"title" : "Username Header Name",
"propertyOrder" : 100,
"type" : "string"
},
"allowWithoutReferer" : {
"title" : "Allow Without Referer",
"propertyOrder" : 300,
"type" : "boolean"
},
"referrerWhiteList" : {
"title" : "Referer Whitelist",
"propertyOrder" : 400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"passwordHeader" : {
"title" : "Password Header Name",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "passwordHeader", "usernameHeader", "referrerWhiteList", "allowWithoutReferer" ]
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"usernameHeader" : {
"title" : "Username Header Name",
"propertyOrder" : 100,
"type" : "string"
},
"allowWithoutReferer" : {
"title" : "Allow Without Referer",
"propertyOrder" : 300,
"type" : "boolean"
},
"referrerWhiteList" : {
"title" : "Referer Whitelist",
"propertyOrder" : 400,
"items" : {
"type" : "string"
},
"type" : "array"
},
"passwordHeader" : {
"title" : "Password Header Name",
"propertyOrder" : 200,
"type" : "string"
}
},
"required" : [ "passwordHeader", "usernameHeader", "referrerWhiteList", "allowWithoutReferer" ]
}
/realm-config/authentication/authenticationtrees/trees
1.0
Authentication trees.
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getIds
Get the names of each tree configured in this realm.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Get the names of each tree configured in this realm.",
"type" : "object",
"title" : "Get Ids",
"properties" : {
"results" : {
"type" : "array",
"title" : "Get Ids",
"description" : "Get the names of each tree configured in this realm.",
"items" : {
"type" : "object",
"properties" : {
"_id" : {
"type" : "string"
}
}
}
}
},
"required" : [ "results" ]
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Action: validate
Validates a tree giving errors and warnings.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "A tree contains a set of nodes and their connections.",
"type" : "object",
"title" : "Authentication Tree",
"properties" : {
"nodes" : {
"type" : "object",
"title" : "Nodes",
"description" : "A map of node ID to node association details.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Node",
"description" : "A association of a node with a tree.",
"properties" : {
"connections" : {
"type" : "object",
"title" : "Connections",
"description" : "The node's connected outcomes.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Node ID",
"description" : "The ID of the node that this outcome connects to."
}
}
},
"_outcomes" : {
"type" : "array",
"title" : "Outcomes",
"description" : "The node's complete set of outcomes.",
"readOnly" : true,
"items" : {
"type" : "object",
"title" : "Outcome",
"description" : "A possible outcome of the node.",
"readOnly" : true,
"properties" : {
"id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the outcome.",
"readOnly" : true
},
"displayName" : {
"type" : "string",
"title" : "Display Name",
"description" : "The display name of the outcome, in the requester's preferred locale.",
"readOnly" : true
}
}
}
},
"nodeType" : {
"title" : "Type",
"description" : "The name of the SMS service for this node.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"displayName" : {
"title" : "Display Name",
"description" : "The name of the node to show in the tree UI.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
}
},
"entryNodeId" : {
"title" : "Entry Node",
"description" : "The ID of the node that the tree starts processing from.",
"required" : true,
"type" : "string"
}
}
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Validates a tree giving errors and warnings.",
"type" : "object",
"title" : "Validate",
"properties" : {
"valid" : {
"type" : "boolean",
"title" : "Valid",
"description" : "True if the tree does not have any validation errors, false otherwise."
},
"warnings" : {
"type" : "array",
"title" : "Validation warnings",
"description" : "Issues that would not prevent the tree from being persisted but may indicate user errors.",
"items" : {
"type" : "string"
}
},
"errors" : {
"type" : "array",
"title" : "Validation errors",
"description" : "Issues that prevent the tree from being persisted.",
"items" : {
"type" : "string"
}
}
},
"required" : [ "valid", "warnings" ]
}
Query by Filter
Query for all authentication trees. Only a query filter of 'true' is supported.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"description" : "A tree contains a set of nodes and their connections.",
"type" : "object",
"title" : "Authentication Tree",
"properties" : {
"nodes" : {
"type" : "object",
"title" : "Nodes",
"description" : "A map of node ID to node association details.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Node",
"description" : "A association of a node with a tree.",
"properties" : {
"connections" : {
"type" : "object",
"title" : "Connections",
"description" : "The node's connected outcomes.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Node ID",
"description" : "The ID of the node that this outcome connects to."
}
}
},
"_outcomes" : {
"type" : "array",
"title" : "Outcomes",
"description" : "The node's complete set of outcomes.",
"readOnly" : true,
"items" : {
"type" : "object",
"title" : "Outcome",
"description" : "A possible outcome of the node.",
"readOnly" : true,
"properties" : {
"id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the outcome.",
"readOnly" : true
},
"displayName" : {
"type" : "string",
"title" : "Display Name",
"description" : "The display name of the outcome, in the requester's preferred locale.",
"readOnly" : true
}
}
}
},
"nodeType" : {
"title" : "Type",
"description" : "The name of the SMS service for this node.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"displayName" : {
"title" : "Display Name",
"description" : "The name of the node to show in the tree UI.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
}
},
"entryNodeId" : {
"title" : "Entry Node",
"description" : "The ID of the node that the tree starts processing from.",
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/authenticationtrees/trees/{id}
1.0
Authentication trees.
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "A tree contains a set of nodes and their connections.",
"type" : "object",
"title" : "Authentication Tree",
"properties" : {
"nodes" : {
"type" : "object",
"title" : "Nodes",
"description" : "A map of node ID to node association details.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Node",
"description" : "A association of a node with a tree.",
"properties" : {
"connections" : {
"type" : "object",
"title" : "Connections",
"description" : "The node's connected outcomes.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Node ID",
"description" : "The ID of the node that this outcome connects to."
}
}
},
"_outcomes" : {
"type" : "array",
"title" : "Outcomes",
"description" : "The node's complete set of outcomes.",
"readOnly" : true,
"items" : {
"type" : "object",
"title" : "Outcome",
"description" : "A possible outcome of the node.",
"readOnly" : true,
"properties" : {
"id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the outcome.",
"readOnly" : true
},
"displayName" : {
"type" : "string",
"title" : "Display Name",
"description" : "The display name of the outcome, in the requester's preferred locale.",
"readOnly" : true
}
}
}
},
"nodeType" : {
"title" : "Type",
"description" : "The name of the SMS service for this node.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"displayName" : {
"title" : "Display Name",
"description" : "The name of the node to show in the tree UI.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
}
},
"entryNodeId" : {
"title" : "Entry Node",
"description" : "The ID of the node that the tree starts processing from.",
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "A tree contains a set of nodes and their connections.",
"type" : "object",
"title" : "Authentication Tree",
"properties" : {
"nodes" : {
"type" : "object",
"title" : "Nodes",
"description" : "A map of node ID to node association details.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Node",
"description" : "A association of a node with a tree.",
"properties" : {
"connections" : {
"type" : "object",
"title" : "Connections",
"description" : "The node's connected outcomes.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Node ID",
"description" : "The ID of the node that this outcome connects to."
}
}
},
"_outcomes" : {
"type" : "array",
"title" : "Outcomes",
"description" : "The node's complete set of outcomes.",
"readOnly" : true,
"items" : {
"type" : "object",
"title" : "Outcome",
"description" : "A possible outcome of the node.",
"readOnly" : true,
"properties" : {
"id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the outcome.",
"readOnly" : true
},
"displayName" : {
"type" : "string",
"title" : "Display Name",
"description" : "The display name of the outcome, in the requester's preferred locale.",
"readOnly" : true
}
}
}
},
"nodeType" : {
"title" : "Type",
"description" : "The name of the SMS service for this node.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"displayName" : {
"title" : "Display Name",
"description" : "The name of the node to show in the tree UI.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
}
},
"entryNodeId" : {
"title" : "Entry Node",
"description" : "The ID of the node that the tree starts processing from.",
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "A tree contains a set of nodes and their connections.",
"type" : "object",
"title" : "Authentication Tree",
"properties" : {
"nodes" : {
"type" : "object",
"title" : "Nodes",
"description" : "A map of node ID to node association details.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Node",
"description" : "A association of a node with a tree.",
"properties" : {
"connections" : {
"type" : "object",
"title" : "Connections",
"description" : "The node's connected outcomes.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Node ID",
"description" : "The ID of the node that this outcome connects to."
}
}
},
"_outcomes" : {
"type" : "array",
"title" : "Outcomes",
"description" : "The node's complete set of outcomes.",
"readOnly" : true,
"items" : {
"type" : "object",
"title" : "Outcome",
"description" : "A possible outcome of the node.",
"readOnly" : true,
"properties" : {
"id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the outcome.",
"readOnly" : true
},
"displayName" : {
"type" : "string",
"title" : "Display Name",
"description" : "The display name of the outcome, in the requester's preferred locale.",
"readOnly" : true
}
}
}
},
"nodeType" : {
"title" : "Type",
"description" : "The name of the SMS service for this node.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"displayName" : {
"title" : "Display Name",
"description" : "The name of the node to show in the tree UI.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
}
},
"entryNodeId" : {
"title" : "Entry Node",
"description" : "The ID of the node that the tree starts processing from.",
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "A tree contains a set of nodes and their connections.",
"type" : "object",
"title" : "Authentication Tree",
"properties" : {
"nodes" : {
"type" : "object",
"title" : "Nodes",
"description" : "A map of node ID to node association details.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Node",
"description" : "A association of a node with a tree.",
"properties" : {
"connections" : {
"type" : "object",
"title" : "Connections",
"description" : "The node's connected outcomes.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Node ID",
"description" : "The ID of the node that this outcome connects to."
}
}
},
"_outcomes" : {
"type" : "array",
"title" : "Outcomes",
"description" : "The node's complete set of outcomes.",
"readOnly" : true,
"items" : {
"type" : "object",
"title" : "Outcome",
"description" : "A possible outcome of the node.",
"readOnly" : true,
"properties" : {
"id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the outcome.",
"readOnly" : true
},
"displayName" : {
"type" : "string",
"title" : "Display Name",
"description" : "The display name of the outcome, in the requester's preferred locale.",
"readOnly" : true
}
}
}
},
"nodeType" : {
"title" : "Type",
"description" : "The name of the SMS service for this node.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"displayName" : {
"title" : "Display Name",
"description" : "The name of the node to show in the tree UI.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
}
},
"entryNodeId" : {
"title" : "Entry Node",
"description" : "The ID of the node that the tree starts processing from.",
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/chains
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"module" : {
"type" : "string"
},
"criteria" : {
"type" : "string"
},
"options" : {
"type" : "object",
"patternProperties" : {
".*" : {
"type" : "string"
}
}
}
}
}
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "Example: com.abc.authentication.PostProcessClass",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Login Failed URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginSuccessUrl" : {
"title" : "Login Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"module" : {
"type" : "string"
},
"criteria" : {
"type" : "string"
},
"options" : {
"type" : "object",
"patternProperties" : {
".*" : {
"type" : "string"
}
}
}
}
}
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "Example: com.abc.authentication.PostProcessClass",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Login Failed URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginSuccessUrl" : {
"title" : "Login Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/chains/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"module" : {
"type" : "string"
},
"criteria" : {
"type" : "string"
},
"options" : {
"type" : "object",
"patternProperties" : {
".*" : {
"type" : "string"
}
}
}
}
}
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "Example: com.abc.authentication.PostProcessClass",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Login Failed URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginSuccessUrl" : {
"title" : "Login Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"module" : {
"type" : "string"
},
"criteria" : {
"type" : "string"
},
"options" : {
"type" : "object",
"patternProperties" : {
".*" : {
"type" : "string"
}
}
}
}
}
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "Example: com.abc.authentication.PostProcessClass",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Login Failed URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginSuccessUrl" : {
"title" : "Login Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"module" : {
"type" : "string"
},
"criteria" : {
"type" : "string"
},
"options" : {
"type" : "object",
"patternProperties" : {
".*" : {
"type" : "string"
}
}
}
}
}
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "Example: com.abc.authentication.PostProcessClass",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Login Failed URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginSuccessUrl" : {
"title" : "Login Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authChainConfiguration" : {
"title" : "Authentication Configuration",
"propertyOrder" : 100,
"required" : true,
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"module" : {
"type" : "string"
},
"criteria" : {
"type" : "string"
},
"options" : {
"type" : "object",
"patternProperties" : {
".*" : {
"type" : "string"
}
}
}
}
}
},
"loginPostProcessClass" : {
"title" : "Authentication Post Processing Classes",
"description" : "Example: com.abc.authentication.PostProcessClass",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginFailureUrl" : {
"title" : "Login Failed URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"loginSuccessUrl" : {
"title" : "Login Success URL",
"description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules
1.0
The collection of all authentication modules in a realm allows querying for all module instances.
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Query for authentication module instances
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The generic schema for a module instance. The response data can be used to construct the sub-path to the instance itself as `{type}/{id}`.",
"type" : "object",
"title" : "Module Instance schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the module instance"
},
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The identifier of the type of the module instance"
},
"typeDescription" : {
"type" : "string",
"title" : "Type Description",
"description" : "The human-readable name of the type"
}
}
}
/realm-config/authentication/modules/activedirectory
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/activedirectory/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary Active Directory Server ",
"description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"secondaryLdapServer" : {
"title" : "Secondary Active Directory Server",
"description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/adaptiverisk
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
}
}
/realm-config/authentication/modules/adaptiverisk/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iphistory" : {
"type" : "object",
"title" : "IP Address History",
"propertyOrder" : 3,
"properties" : {
"ipHistoryCount" : {
"title" : "History size",
"description" : "The number of client IP addresses to save in the history list.",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"ipHistoryCheckEnabled" : {
"title" : "IP History Check",
"description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"saveSuccessfulIP" : {
"title" : "Save Successful IP Address",
"description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
"propertyOrder" : 1300,
"required" : true,
"type" : "boolean"
},
"invertIPHistoryScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"ipHistoryProfileAttribute" : {
"title" : "Profile Attribute Name",
"description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"ipHistoryScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
}
}
},
"geolocation" : {
"type" : "object",
"title" : "Geo Location",
"propertyOrder" : 8,
"properties" : {
"invertGeolocationScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4200,
"required" : true,
"type" : "boolean"
},
"geolocationCheckEnabled" : {
"title" : "Geolocation Country Code Check",
"description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3800,
"required" : true,
"type" : "boolean"
},
"geolocationScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4100,
"required" : true,
"type" : "integer"
},
"geolocationValidCountryCodes" : {
"title" : "Valid Country Codes",
"description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"geolocationDatabaseLocation" : {
"title" : "Geolocation Database location",
"description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
}
}
},
"attributecheck" : {
"type" : "object",
"title" : "Profile Attribute",
"propertyOrder" : 7,
"properties" : {
"profileRiskAttributeValue" : {
"title" : "Attribute Value",
"description" : "The required value of the named attribute.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"profileRiskAttributeCheckEnabled" : {
"title" : "Profile Risk Attribute check",
"description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"invertProfileRiskAttributeScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3200,
"required" : true,
"type" : "boolean"
},
"profileRiskAttributeName" : {
"title" : "Attribute Name",
"description" : "The name of the attribute to retrieve from the user profile in the data store.",
"propertyOrder" : 2900,
"required" : true,
"type" : "string"
},
"profileRiskAttributeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3100,
"required" : true,
"type" : "integer"
}
}
},
"requestheader" : {
"type" : "object",
"title" : "Request Header",
"propertyOrder" : 9,
"properties" : {
"requestHeaderCheckEnabled" : {
"title" : "Request Header Check",
"description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"requestHeaderScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 4600,
"required" : true,
"type" : "integer"
},
"requestHeaderValue" : {
"title" : "Request Header Value",
"description" : "The required value of the named HTTP header.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"requestHeaderName" : {
"title" : "Request Header Name",
"description" : "The name of the required HTTP header ",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"invertRequestHeaderScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 4700,
"required" : true,
"type" : "boolean"
}
}
},
"authfailed" : {
"type" : "object",
"title" : "Failed Authentications",
"propertyOrder" : 1,
"properties" : {
"failedAuthenticationCheckEnabled" : {
"title" : "Failed Authentication Check",
"description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"invertFailureScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"failureScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
}
}
},
"knowncookie" : {
"type" : "object",
"title" : "Known Cookie",
"propertyOrder" : 4,
"properties" : {
"createKnownCookieOnSuccessfulLogin" : {
"title" : "Save Cookie Value on Successful Login",
"description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
"propertyOrder" : 1900,
"required" : true,
"type" : "boolean"
},
"knownCookieCheckEnabled" : {
"title" : "Cookie Value Check",
"description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"knownCookieValue" : {
"title" : "Cookie Value",
"description" : "The value to be set on the cookie.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"knownCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"invertKnownCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"knownCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to set on the client.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"iprange" : {
"type" : "object",
"title" : "IP Address Range",
"propertyOrder" : 2,
"properties" : {
"ipRangeCheckEnabled" : {
"title" : "IP Range Check",
"description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"invertIPRangeScoreEnabled" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"ipRangeScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"ipRange" : {
"title" : "IP Range",
"description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"lastlogin" : {
"type" : "object",
"title" : "Time Since Last Login",
"propertyOrder" : 6,
"properties" : {
"saveLastLoginTimeOnSuccessfulLogin" : {
"title" : "Save time of Successful Login",
"description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
"propertyOrder" : 2500,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginCheckEnabled" : {
"title" : "Time since Last login Check",
"description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
},
"invertTimeSinceLastLoginScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"timeSinceLastLoginScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 2600,
"required" : true,
"type" : "integer"
},
"maxTimeSinceLastLogin" : {
"title" : "Max Time since Last login",
"description" : "The maximum number of days that can elapse before this test.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"timeSinceLastLoginCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie used to store the time of the last successful authentication.",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
}
}
},
"devicecookie" : {
"type" : "object",
"title" : "Device Cookie",
"propertyOrder" : 5,
"properties" : {
"deviceCookieScore" : {
"title" : "Score",
"description" : "The amount to increment the score if this check fails.",
"propertyOrder" : 3600,
"required" : true,
"type" : "integer"
},
"invertDeviceCookieScore" : {
"title" : "Invert Result",
"description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
"propertyOrder" : 3700,
"required" : true,
"type" : "boolean"
},
"saveDeviceCookieValueOnSuccessfulLogin" : {
"title" : "Save Device Registration on Successful Login",
"description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
"propertyOrder" : 3500,
"required" : true,
"type" : "boolean"
},
"deviceCookieCheckEnabled" : {
"title" : "Device Registration Cookie Check",
"description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"deviceCookieName" : {
"title" : "Cookie Name",
"description" : "The name of the cookie to be checked for (and optionally set) on the client request",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
}
}
},
"general" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"riskThreshold" : {
"title" : "Risk Threshold",
"description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
}
}
/realm-config/authentication/modules/amster
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/amster/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "If not enabled, prevents PKI login using the Amster module.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"authorizedKeys" : {
"title" : "Authorized Keys",
"description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/anonymous
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules/anonymous/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"defaultAnonymousUsername" : {
"title" : "Default Anonymous User Name",
"description" : "The default username to use if no username is supplied during authentication.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"caseSensitiveUsernameMatchingEnabled" : {
"title" : "Case Sensitive User IDs",
"description" : "If enabled, username matching will be case sensitive.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"validAnonymousUsers" : {
"title" : "Valid Anonymous Users",
"description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules/authJwtPoP
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/authJwtPoP/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"responseEncryptionCipher" : {
"title" : "Response Encryption Cipher",
"description" : "The authenticated encryption (AEAD) scheme to use for the response.",
"propertyOrder" : 350,
"required" : true,
"type" : "string"
},
"challengeSigningKey" : {
"title" : "Challenge Signing Key",
"description" : "Name of the key (in the AM keystore) to use to sign challenges.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"enableTlsSessionBinding" : {
"title" : "Use TLS Session Binding",
"description" : "If enabled the response must arrive in the same TLS (HTTPS) session as the challenge was issued.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"subjectJwkSetAttr" : {
"title" : "Subject JWK Set Attribute",
"description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"responseEncryptionMethod" : {
"title" : "Response Encryption Scheme",
"description" : "Key exchange method to use for responses: ephemeral elliptic curve Diffie-Hellman (ECDHE)key agreement or using a pre-shared key (PSK) from the subject's JWK Set.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.",
"propertyOrder" : 10000,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/authPush
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/authPush/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"pushMessage" : {
"title" : "Login Message",
"description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeoutInMilliSecconds" : {
"title" : "Return Message Timeout (ms)",
"description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/authPushReg
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/authPushReg/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"bgcolour" : {
"title" : "Background Colour",
"description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"imgUrl" : {
"title" : "Image URL",
"description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : "http://example.com/image.png"
},
"timeoutInMilliSecconds" : {
"title" : "Registration Response Timeout (ms)",
"description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"issuer" : {
"title" : "Issuer Name",
"description" : "The Name of the service as it will appear on the registered device.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"appleLink" : {
"title" : "App Store App URL",
"description" : "URL of the app to download on the App Store.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"googleLink" : {
"title" : "Google Play URL",
"description" : "URL of the app to download on Google Play.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/authSaml
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/authSaml/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</pre>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/authSocialInstagram
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/realm-config/authentication/modules/authSocialInstagram/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/realm-config/authentication/modules/authSocialOAuth2
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
}
}
}
}
}
/realm-config/authentication/modules/authSocialOAuth2/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2600,
"required" : true,
"type" : "boolean"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
}
}
}
}
}
/realm-config/authentication/modules/authSocialOpenID
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/realm-config/authentication/modules/authSocialOpenID/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "Google"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "sub"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"logoutBehaviour" : {
"title" : "Logout Options",
"description" : "Specify logout behavior.<br><br>The following options are available for logging out of the OAuth 2.0 Provider when the user logs out of AM:<br/><ul><li>prompt: Ask the user whether to log out from the OAuth 2.0 Provider</li><li>logout: Log out from the OAuth 2.0 Provider without asking the user</li><li>donotlogout: Do not log out the user from the OAuth 2.0 Provider</li></ul><br/>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2155,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v4/token"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "profile email openid"
},
"logoutServiceUrl" : {
"title" : "OAuth 2.0 Provider Logout Service",
"description" : "The URL of the Identity Provider's logout service.<br><br>To enable IdP logout, you must also add <code>org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin</code> to the <em>Authentication Post Processing Classes</em> setting. Navigate to Authentication > Settings > Post Authentication Processing.",
"propertyOrder" : 2150,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 2800,
"required" : true,
"type" : "boolean"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth"
},
"issuerName" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string",
"exampleValue" : "https://accounts.google.com"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 3,
"properties" : {
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
}
}
},
"openId" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 1,
"properties" : {
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 2,
"properties" : {
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "sub=uid"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|google-"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : "given_name=givenName family_name=sn name=cn email=mail sub=uid"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : "org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/realm-config/authentication/modules/authSocialTwitter
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/authentication/modules/authSocialTwitter/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"requestTokenEndpoint" : {
"title" : "Request Token Endpoint URL",
"description" : "OAuth request token endpoint URL<br><br>This is the URL endpoint for OAuth request token provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/authentication/modules/authSocialVk
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
}
}
/realm-config/authentication/modules/authSocialVk/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1605,
"required" : true,
"type" : "boolean"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1160,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1150,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1625,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1645,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1615,
"required" : true,
"type" : "string"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1610,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1635,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1640,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1630,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1620,
"required" : true,
"type" : "string"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"apiVersion" : {
"title" : "API Version",
"description" : "Specifies the version of the auth server API",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"forgerock-am-auth-socialauthvk-auth-level" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
}
}
/realm-config/authentication/modules/authSocialWeChat
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/authentication/modules/authSocialWeChat/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"authorizeEndpoint" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"tokenEndpoint" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"scopeDelimiter" : {
"title" : "Scope Delimiter",
"description" : "Delimiter used to separate scope values. Default value is space.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"usesBasicAuth" : {
"title" : "Use Basic Auth",
"description" : "When enabled, the client will use basic auth for authenticating with the social auth provider. Enabled by default.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
}
}
},
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/authentication/modules/authSocialWeChatMobile
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/authentication/modules/authSocialWeChatMobile/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accountProvisioning" : {
"type" : "object",
"title" : "Account Provisioning",
"propertyOrder" : 1,
"properties" : {
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 2400,
"required" : true,
"type" : "boolean"
},
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptPasswordFlag" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1905,
"required" : true,
"type" : "boolean"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1360,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"enableRegistrationService" : {
"title" : "Use IDM as Registration Service",
"description" : "Whether to use IDM as an external Registration Service to complete registration for new users.<br><br>IDM is called and passed these parameters:<br/><br/><ul><li><code>clientToken</code>: Signed, encrypted JWT of the OAuth 2.0 authentication state.</li><li><code>returnParams</code>: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.</li></ul>",
"propertyOrder" : 1350,
"required" : true,
"type" : "boolean"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
}
}
},
"core" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"provider" : {
"title" : "Social Provider",
"description" : "Social Provider for which this module is being setup.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/>",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userInfoEndpoint" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"subjectProperty" : {
"title" : "Subject Property",
"description" : "Property used to identify which attribute an auth server identifies a user by.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
},
"emailSettings" : {
"type" : "object",
"title" : "Email",
"propertyOrder" : 2,
"properties" : {
"emailAttribute" : {
"title" : "Email attribute in the Response",
"description" : "Attribute from the response used to send activation code emails.<br><br>The attribute in the response from the profile service of the Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1910,
"required" : true,
"type" : "string"
},
"emailGateway" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 1915,
"required" : true,
"type" : "string"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 1940,
"required" : true,
"type" : "boolean"
},
"smtpPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 1925,
"required" : true,
"type" : "string"
},
"smtpHost" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 1920,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 1945,
"required" : true,
"type" : "string",
"exampleValue" : "info@forgerock.com"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 1935,
"required" : true,
"type" : "string",
"format" : "password"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 1930,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/authentication/modules/authenticatoroath
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/authenticatoroath/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"oathIssuerName" : {
"title" : "Name of the Issuer",
"description" : "Name to identify the OTP issuer.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : "ForgeRock"
},
"totpTimeStepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"addChecksumToOtpEnabled" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"frOathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"totpTimeStepInterval" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"totpMaximumClockDrift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/certificate
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/certificate/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"crlHttpParameters" : {
"title" : "HTTP Parameters for CRL Update",
"description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"ldapSearchStartDN" : {
"title" : "LDAP Search Start or Base DN",
"description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientCertificateHttpHeaderName" : {
"title" : "HTTP Header Name for Client Certificate",
"description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"format" : "password"
},
"matchCertificateToCRL" : {
"title" : "Match Certificate to CRL",
"description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"ocspValidationEnabled" : {
"title" : "OCSP Validation",
"description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean"
},
"updateCRLsFromDistributionPoint" : {
"title" : "Update CA CRLs from CRLDistributionPoint",
"description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"iplanet-am-auth-cert-gw-cert-preferred" : {
"title" : "Use only Certificate from HTTP request header",
"description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"otherCertificateAttributeToProfileMapping" : {
"title" : "Other Certificate Field Used to Access User Profile",
"description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
},
"certificateAttributeToProfileMapping" : {
"title" : "Certificate Field Used to Access User Profile",
"description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"trustedRemoteHosts" : {
"title" : "Trusted Remote Hosts",
"description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
"propertyOrder" : 1800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"crlMatchingCertificateAttribute" : {
"title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
"description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"sslEnabled" : {
"title" : "Use SSL/TLS for LDAP Access",
"description" : "The certificate module will use SSL/TLS to access the LDAP server",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2100,
"required" : true,
"type" : "integer"
},
"certificateLdapServers" : {
"title" : "LDAP Server Where Certificates are Stored",
"description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 1000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"matchCertificateInLdap" : {
"title" : "Match Certificate in LDAP",
"description" : "The client certificate must exist in the directory for the authentication to be successful.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"certificateAttributeProfileMappingExtension" : {
"title" : "SubjectAltNameExt Value Type to Access User Profile",
"description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"cacheCRLsInMemory" : {
"title" : "Cache CRLs in memory",
"description" : "The CRLs will be cached in memory",
"propertyOrder" : 700,
"required" : true,
"type" : "boolean"
},
"matchCACertificateToCRL" : {
"title" : "Match CA Certificate to CRL",
"description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"ldapCertificateAttribute" : {
"title" : "Subject DN Attribute Used to Search LDAP for Certificates",
"description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"userBindDN" : {
"title" : "LDAP Server Authentication User",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/datastore
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/datastore/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/deviceidmatch
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
/realm-config/authentication/modules/deviceidmatch/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
/realm-config/authentication/modules/deviceidsave
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/deviceidsave/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"maxProfilesAllowed" : {
"title" : "Maximum stored profile quantity",
"description" : "No more than specified profiles quantity will be stored in user record",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"autoStoreProfiles" : {
"title" : "Automatically store new profiles",
"description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/federation
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/federation/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/hotp
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/hotp/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"otpDeliveryMethod" : {
"title" : "One Time Password Delivery",
"description" : "The mechanism used to deliver the One Time Password",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"otpValidityDuration" : {
"title" : "One Time Password Validity Length",
"description" : "This One Time Password will remain valid for this period (in minutes)",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"userProfileEmailAttribute" : {
"title" : "Email Attribute Name",
"description" : "This is the attribute name used by the OTP to email the user",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"autoSendOTP" : {
"title" : "Auto Send OTP Code",
"description" : "Select this checkbox if the OTP should be sent automatically",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"smsGatewayClass" : {
"title" : "SMS Gateway Implementation Class",
"description" : "The HOTP authentication module uses this class to send SMS messages.<br><br>The SMS gateway class must implement the following interface<br/><br/><code>com.sun.identity.authentication.modules.hotp.SMSGateway</code>",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"smtpFromAddress" : {
"title" : "Email From Address",
"description" : "Emails from the HOTP Authentication module will come from this address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mobileCarrierAttribute" : {
"title" : "Mobile Carrier Attribute Name",
"description" : "This is the attribute name used for a mobile carrier domain for sending SMS messages",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"smtpHostPort" : {
"title" : "Mail Server Host Port",
"description" : "The port of the mail server.<br><br>The default port for SMTP is 25, if using SSL the default port is 465.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"smtpHostname" : {
"title" : "Mail Server Host Name",
"description" : "The name of the mail server; OpenAM will use SMTP to send the messages.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"smtpUsername" : {
"title" : "Mail Server Authentication Username",
"description" : "The username to use if the mail server is using SMTP authentication",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"smtpSslEnabled" : {
"title" : "Mail Server Secure Connection ",
"description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"userProfileTelephoneAttribute" : {
"title" : "Mobile Phone Number Attribute Name",
"description" : "This is the attribute name used for a requested text message",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"otpLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated One Time Password (in digits)",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"smtpUserPassword" : {
"title" : "Mail Server Authentication Password",
"description" : "The password to use if the mail server is using SMTP authentication",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"otpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/httpbasic
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/httpbasic/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"backendModuleName" : {
"title" : "Backend Module Name",
"description" : "The name of the module that will be used to perform the authentication<br><br>The HTTP Basic authentication module collect the credentials from the user and will then supply said credentials to the backend authentication module using the shared state. ",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/jdbc
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/jdbc/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"jdbcDriver" : {
"title" : "JDBC Driver",
"description" : "The classname of the JDBC driver to use.<br><br>The fully qualified class name of the JDBC driver to use to connect to the database. Only Oracle or MySQL drivers are supported. JDBC drivers for other database may work, but the database will be treated as if it was Oracle.<br/><br/><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"connectionPoolJndiName" : {
"title" : "Connection Pool JNDI Name",
"description" : "The JNDI URL to the JDBC connection pool<br><br>The JNDI URL refers to the JDBC connection pool created in the J2EE container for the authentication database.<br/><br/><i>NB </i>Only used when connection type is JNDI",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"jdbcUrl" : {
"title" : "JDBC URL",
"description" : "The JDBC URL used to initialise the JDBC driver<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"passwordTransformClass" : {
"title" : "Class to Transform Password Syntax",
"description" : "This class is used to transform the supplied credentials from the database.<br><br>The default implementation for this property is <code>ClearTextTransform</code> that performs no transformation. If the supplied credentials need to be transformed before comparing with the password field retrieved from the database, a custom implementation should be provided. Any custom implementation must implement the following interface <code>com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform</code>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"connectionType" : {
"title" : "Connection Type",
"description" : "Controls how the authentication module will obtain the JDBC connection to the database.<br><br>If the connection type is non-persistent JDBC connection then the JDBC driver must be available to the OpenAM web-app. If the connection type is JNDI, the OpenAM web application deployment descriptor <code>web.xml</code> must be updated to include the correct JNDI JDBC resource information. The J2EE container must also be configured with the correct JNDI JDBC configuration.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "This username will be used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "The password used to authenticate to the database<br><br><i>NB </i>Only used when connection type is JDBC",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"passwordStatement" : {
"title" : "Prepared Statement",
"description" : "The SQL statement used to search the database for user passwords<br><br>The SQL statement used to search the database for the user password. A single property of the supplied username is provided by the module. The result of the search should be a single row that contains the password for the user under the specified column.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"passwordColumn" : {
"title" : "Password Column Name",
"description" : "The name of the column in the database containing the user passwords<br><br>This property will be used to retrieve the correct column containing the password from the results table returned by the database",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/ldap
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules/ldap/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 2000,
"required" : true,
"type" : "integer"
},
"secondaryLdapServer" : {
"title" : "Secondary LDAP Server",
"description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userBindDN" : {
"title" : "Bind User DN",
"description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"operationTimeout" : {
"title" : "LDAP operations timeout",
"description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"primaryLdapServer" : {
"title" : "Primary LDAP Server",
"description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userSearchAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"beheraPasswordPolicySupportEnabled" : {
"title" : "LDAP Behera Password Policy Support",
"description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
},
"connectionHeartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"connectionHeartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1200,
"required" : true,
"type" : "boolean"
},
"openam-auth-ldap-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"userSearchStartDN" : {
"title" : "DN to Start User Search",
"description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userProfileRetrievalAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userBindPassword" : {
"title" : "Bind User Password",
"description" : "The password of the administration account.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"searchScope" : {
"title" : "Search Scope",
"description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"profileAttributeMappings" : {
"title" : "User Creation Attributes",
"description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules/membership
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/membership/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "The minimum length of the user password.<br><br>Setting this value to 0 disables this functionality.<br/><br/><i>NB </i>This feature is separate from any password policy in the underlying data store",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"defaultUserRoles" : {
"title" : "Default User Roles",
"description" : "The role DN's that will be assigned to the user.<br><br><i>NB </i>Roles are only supported in Sun Directory Server Enterprise Edition",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"defaultUserStatus" : {
"title" : "User Status After Registration",
"description" : "Determines if the user account should be automatically active after registration completes.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/msisdn
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules/msisdn/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapUserBindPassword" : {
"title" : "LDAP Server Authentication Password",
"description" : "The password for the authentication user",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapUserBindDN" : {
"title" : "LDAP Server Authentication User ",
"description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The MSISDN module authenticates to the LDAP server in order to search for a matching number. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"userProfileMsisdnAttribute" : {
"title" : "Attribute To Use To Search LDAP",
"description" : "The name of the attribute searched in the user profiles for the MSISDN number",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"returnUserDN" : {
"title" : "Return User DN to DataStore",
"description" : "Controls whether the DN or the username is returned as the authentication principal.",
"propertyOrder" : 1100,
"required" : true,
"type" : "boolean"
},
"ldapSslEnabled" : {
"title" : "SSL/TLS for LDAP Access",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"msisdnParameterNames" : {
"title" : "MSISDN Number Search Parameter Name",
"description" : "Name of the HTTP cookie, header or query parameter containing the MSISDN number<br><br>The MSISDN authentication module will check the incoming HTTP cookie, header or query parameter of the request for the MSISDN number. The order of checking is as follows:<br/><br/><ol><li>Cookie</li><li>Header</li><li>Query</li></ol><br/><br/><i>NB </i>The <i>MSISDN Header Search Attribute</i> controls what elements of the request is searched",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnRequestSearchLocations" : {
"title" : "MSISDN Header Search Attribute",
"description" : "Controls the elements that are searched by the authentication module ",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 1200,
"required" : true,
"type" : "integer"
},
"trustedGatewayIPAddresses" : {
"title" : "Trusted Gateway IP Address",
"description" : "The list of IP address that are trusted to send MSISDN authentication requests.<br><br>The client IP address of the authentication request is checked against this list, if the client IP is not listed then the authentication module will fail.<br/><br/><i>NB </i>If the list is empty then all hosts will be trusted.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"msisdnUserNamingAttribute" : {
"title" : "LDAP Attribute Used to Retrieve User Profile",
"description" : "The name of the attribute returned from the user profile matched against the supplied MSISDN number",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"ldapProviderUrl" : {
"title" : "LDAP Server and Port ",
"description" : "Use this list to set the LDAP server used to search for the MSISDN number. <br><br>The MSISDN authentication module will use this list as the server that is searched for a matching MSISDN number. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"baseSearchDN" : {
"title" : "LDAP Start Search DN",
"description" : "The start point in the LDAP server for the MSISDN search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
/realm-config/authentication/modules/oath
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/oath/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"hotpCounterAttribute" : {
"title" : "Counter Attribute Name",
"description" : "The name of the attribute in the user profile to store the user counter. This is required if HOTP is chosen as the OATH algorithm.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"forgerock-oath-observed-clock-drift-attribute-name" : {
"title" : "Clock Drift Attribute Name",
"description" : "The name of the attribute in the user profile to store the clock drift. If left empty then clock drift checking is disabled.<br><br>The name of the attribute used to store the last observed clock drift which is used to indicated when a manual resynchronisation is required.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"passwordLength" : {
"title" : "One Time Password Length ",
"description" : "The length of the generated OTP in digits. Must be 6 digits or longer.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"secretKeyAttribute" : {
"title" : "Secret Key Attribute Name",
"description" : "The name of the attribute in the user profile to store the user secret key.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"minimumSecretKeyLength" : {
"title" : "Minimum Secret Key Length",
"description" : "Number of hexadecimal characters allowed for the Secret Key.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"oathOtpMaxRetry" : {
"title" : "One Time Password Max Retry",
"description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
"required" : true,
"type" : "integer"
},
"forgerock-oath-maximum-clock-drift" : {
"title" : "Maximum Allowed Clock Drift",
"description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. This should be greater than the TOTP Time Steps value.<br><br>As this checks the time drift over multiple requests it needs to be greater than the value specified in TOTP Time Steps.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"forgerock-oath-sharedsecret-implementation-class" : {
"title" : "The Shared Secret Provider Class",
"description" : "The fully qualified class name for the Shared Secret Provider extension.<br><br>The class that is used to process the user profile attribute used to store the user secret key.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"truncationOffset" : {
"title" : "Truncation Offset",
"description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"oathAlgorithm" : {
"title" : "OATH Algorithm to Use",
"description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"stepsInWindow" : {
"title" : "TOTP Time Steps",
"description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 2 time steps and a time step interval of 30 seconds the server will allow a clock drift between client and server of 89 seconds. (2-30 second steps and 29 seconds for the interval that the OTP arrived in)",
"propertyOrder" : 1100,
"required" : true,
"type" : "integer"
},
"hotpWindowSize" : {
"title" : "HOTP Window Size",
"description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"timeStepSize" : {
"title" : "TOTP Time Step Interval",
"description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
"propertyOrder" : 1000,
"required" : true,
"type" : "integer"
},
"lastLoginTimeAttribute" : {
"title" : "Last Login Time Attribute",
"description" : "Attribute to store the time of the users last login. This is required if TOTP is chosen as the OATH algorithm.<br><br>This attribute stores the last time a user logged in to prevent time based attacks. The value is stored as a number (Unix Time).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"addChecksum" : {
"title" : "Add Checksum Digit",
"description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/oauth2
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
/realm-config/authentication/modules/oauth2/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"attributeMapperConfiguration" : {
"title" : "Attribute Mapper Configuration",
"description" : "Mapping of OAuth attributes to local OpenAM attributes<br><br>Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM.<br/><br/>Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"smtpHostPort" : {
"title" : "SMTP port",
"description" : "The TCP port that will be used by the SMTP gateway",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"mapToAnonymousUser" : {
"title" : "Map to anonymous user",
"description" : "Enabled anonymous user access to OpenAM for OAuth authenticated users<br><br>If selected, the authenticated users in the OAuth 2.0 Provider will be mapped to the anonymous user configured in the next parameter.<br/>If not selected the users authenticated will be mapped by the parameters configured in the account mapper.<br/><br/><i>NB </i>If <i>Create account if it does not exist</i> is enabled, that parameter takes precedence.",
"propertyOrder" : 1800,
"required" : true,
"type" : "boolean"
},
"anonymousUserName" : {
"title" : "Anonymous User",
"description" : "Username of the OpenAM anonymous user<br><br>The username of the user that will represent the anonymous user. This user account must already exist in the realm.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
},
"attributeMappingClasses" : {
"title" : "Attribute Mapper",
"description" : "Name of the class that implements the attribute mapping<br><br>This class maps the OAuth properties into OpenAM properties. A custom attribute mapper can be provided.<br/><br/>A custom attribute mapper must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientId" : {
"title" : "Client Id",
"description" : "OAuth client_id parameter<br><br>For more information on the OAuth client_id parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"accountMapperClass" : {
"title" : "Account Mapper",
"description" : "Name of the class implementing the attribute mapping for the account search.<br><br>This class is used by the module to map from the account information received from the OAuth Identity Provider into OpenAM.<br/><br/>The class must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.<br/>Provided implementations are:<ul><li>org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper</li><li>org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)</li></ul>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"logoutBehaviour" : {
"title" : "Logout options",
"description" : "Controls how Logout options will be presented to the user.<br><br>The OAuth module has the following logout options for the user:<br/><br/><ul><li>Prompt: Prompt the user to logout from the OAuth 2.0 Provider</li><li>Logout: Logout from the OAuth 2.0 Provider and do not prompt</li><li>Do not logout: Do not logout the user from the OAuth 2.0 Provider and do not prompt</li></ul>",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
},
"saveAttributesInSession" : {
"title" : "Save attributes in the session",
"description" : "If this option is enabled, the attributes configured in the attribute mapper will be saved into the OpenAM session",
"propertyOrder" : 1400,
"required" : true,
"type" : "boolean"
},
"smtpUsername" : {
"title" : "SMTP User Name",
"description" : "If the SMTP Service requires authentication, configure the user name here",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"oauth2LogoutServiceUrl" : {
"title" : "OAuth 2.0 Provider logout service",
"description" : "The URL of the OAuth Identity Providers Logout service<br><br>OAuth 2.0 Identity Providers can have a logout service. If this logout functionality is required then the URL of the Logout endpoint should configured here.",
"propertyOrder" : 2000,
"required" : true,
"type" : "string"
},
"openidConnectContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "Required when the 'openid' scope is included. The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 3100,
"required" : true,
"type" : "string"
},
"openidConnectIssuer" : {
"title" : "Token Issuer",
"description" : "Required when the 'openid' scope is included. Value must match the iss field in issued ID Token<br/>e.g. accounts.google.com<br><br>The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.",
"propertyOrder" : 3200,
"required" : true,
"type" : "string"
},
"accessTokenParameterName" : {
"title" : "OAuth2 Access Token Profile Service Parameter name",
"description" : "The name of the parameter that will contain the access token value when accessing the profile service",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"ssoProxyUrl" : {
"title" : "Proxy URL",
"description" : "The URL to the OpenAM OAuth proxy JSP<br><br>This URL should only be changed from the default, if an external server is performing the GET to POST proxying. The default is <code>/openam/oauth2c/OAuthProxy.jsp</code>",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"mailGatewayClass" : {
"title" : "Mail Server Gateway implementation class",
"description" : "The class used by the module to send email.<br><br>This class is used by the module to send email. A custom implementation can be provided.<br/><br/>The custom implementation must implement the <code>org.forgerock.openam.authentication.modules.oauth2.EmailGateway</code>",
"propertyOrder" : 2200,
"required" : true,
"type" : "string"
},
"scope" : {
"title" : "Scope",
"description" : "OAuth scope; list of user profile properties<br><br>According to the OAuth 2.0 Authorization Framework, scope is a space-separated list of user profile attributes that the client application requires. The list depends on the permissions that the resource owner grants to the client application.<br/><br/> Some authorization servers use non-standard separators for scopes. For example, Facebook takes a comma-separated list.<br/><br/> Default: <code>email, read_stream</code> (Facebook example)",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"accessTokenEndpointUrl" : {
"title" : "Access Token Endpoint URL",
"description" : "OAuth access token endpoint URL<br><br>This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-3.2\" target=\"_blank\">RFC 6749</a>, section 3.2",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"format" : "password"
},
"userProfileServiceUrl" : {
"title" : "User Profile Service URL",
"description" : "User profile information URL<br><br>This URL endpoint provides user profile information and is provided by the OAuth Identity Provider<br/><br/><i>NB </i>This URL should return JSON objects in response",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"createAccount" : {
"title" : "Create account if it does not exist",
"description" : "If the OAuth2 account does not exist in the local OpenAM data store, an account will be created dynamically.<br><br>If this is enabled, the account mapper could create the account dynamically if there is no account mapped. Before creating the account, a dialog prompting for a password and asking for an activation code can be shown if the parameter \"Prompt for password setting and activation code\" is enabled.<br /><br />If this flag is not enabled, 3 alternative options exist:<br/><br/><ol><li>The accounts need to have a user profile in the OpenAM User Data Store</li><li>The user does not have a user profile and the \"Ignore Profile\" is set in the Authentication Service of the realm.</li><li>The account is mapped to an anonymous account (see parameter \"Map to anonymous user\" and \"Anonymous User\")</li></ol>",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"smtpSslEnabled" : {
"title" : "SMTP SSL Enabled",
"description" : "Tick this option if the SMTP Server provides SSL",
"propertyOrder" : 2700,
"required" : true,
"type" : "boolean"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 2900,
"required" : true,
"type" : "integer"
},
"smtpFromAddress" : {
"title" : "SMTP From address",
"description" : "The email address on behalf of whom the messages will be sent",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"authenticationEndpointUrl" : {
"title" : "Authentication Endpoint URL",
"description" : "OAuth authentication endpoint URL<br><br>This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"openidConnectContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Required when the 'openid' scope is included. Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account Provider",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.<br/>String constructor parameters can be provided by appending <code>|</code> separated values.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"oauth2EmailAttribute" : {
"title" : "Email attribute in OAuth2 Response",
"description" : "Attribute from the OAuth2 response used to send activation code emails.<br><br>The attribute in the response from the profile service in the OAuth 2.0 Provider that contains the email address of the authenticated user. This address will be used to send an email with an activation code when the accounts are allowed to be created dynamically.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"accountMapperConfiguration" : {
"title" : "Account Mapper Configuration",
"description" : "Mapping of OAuth account to local OpenAM account<br><br>Attribute configuration that will be used to map the account of the user authenticated in the OAuth 2.0 Provider to the local data store in the OpenAM. Example: <code>OAuth2.0_attribute=local_attribute</code>",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"promptForPassword" : {
"title" : "Prompt for password setting and activation code",
"description" : "Users must set a password and complete the activation flow during dynamic profile creation.<br><br>If this is enabled, the user must set a password before the system creates an account dynamically and an activation code will be sent to the user's email address. The account will be created only if the password and activation code are properly set. <br />If this is disabled, the account will be created transparently without prompting the user.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"mixUpMitigation" : {
"title" : "OAuth 2.0 Mix-Up Mitigation enabled",
"description" : "Enables OAuth 2.0 mix-up mitigation<br><br>The authorization server must support the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01#section-3.1\">OAuth 2.0 Mix-Up Mitigation draft</a>, otherwise OpenAM will fail to validate responses from the authorization server. If only the OAuth 2.0 protocol is utilized, make sure that the accepted issuer value is set in the \"Token Issuer\" setting.",
"propertyOrder" : 3300,
"required" : true,
"type" : "boolean"
},
"smtpHostName" : {
"title" : "SMTP host",
"description" : "The mail host that will be used by the Email Gateway implementation",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"smtpPassword" : {
"title" : "SMTP User Password",
"description" : "The Password of the SMTP User Name",
"propertyOrder" : 2600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
/realm-config/authentication/modules/openidconnect
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/openidconnect/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useSubClaimIfNoMatch" : {
"title" : "Use \"sub\" claim if no match",
"description" : "If no account is found that matches, whether to use the \"sub\" claim as the principal name or (if false) to fail.",
"propertyOrder" : 1000,
"required" : true,
"type" : "boolean"
},
"cryptoContextType" : {
"title" : "OpenID Connect validation configuration type",
"description" : "Please select either 1. the issuer discovery url, 2. the issuer jwk url, or 3. the client_secret.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"accountProviderClass" : {
"title" : "Account provider class",
"description" : "Name of the class implementing the account provider.<br><br>This class is used by the module to find the account from the attributes mapped by the Account Mapper <code>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</code> interface.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"clientSecret" : {
"title" : "Client Secret",
"description" : "OAuth client_secret parameter<br><br>For more information on the OAuth client_secret parameter refer to the <a href=\"http://tools.ietf.org/html/rfc6749#section-2.3.1\" target=\"_blank\">RFC 6749</a>, section 2.3.1",
"propertyOrder" : 301,
"required" : true,
"type" : "string",
"format" : "password"
},
"audienceName" : {
"title" : "Audience name",
"description" : "A case sensitive string<br><br>The audience name for this OpenID Conenct module. This will be used to check that the ID token received is intended for this module as an audience.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"jwtToLdapAttributeMappings" : {
"title" : "Mapping of jwt attributes to local LDAP attributes",
"description" : "Format: jwt_attribute=local_ldap_attribute<br><br>Mappings allow jwt entries to drive principal lookup. This entry determines how to translate between local LDAP attributes and the entries in the jwt. See <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims\" target=\"_blank\">OpenID Connect Core 1.0 Specification</a> section 5.4 on how to request the inclusion of additional attributes in issued ID Tokens.",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"cryptoContextValue" : {
"title" : "OpenID Connect validation configuration value",
"description" : "The discovery url, or jwk url, or the client_secret, corresponding to the selection above.<br><br>If discovery or jwk url entered, entry must be in valid url format, <br/>e.g. https://accounts.google.com/.well-known/openid-configuration<br/><i>NB </i>If client_secret entered, entry is ignored and the value of the Client Secret is used.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"acceptedAuthorizedParties" : {
"title" : "List of accepted authorized parties",
"description" : "A list of case sensitive strings which can be either string or URI values<br><br>A list of authorized parties which this module will accept ID tokens from. This will be checked against the authorized party claim of the ID token.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenHeaderName" : {
"title" : "Name of header referencing the ID Token",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"principalMapperClass" : {
"title" : "Principal mapper class",
"description" : "Class which implements mapping of jwt state to a Principal in the local identity repository<br><br>Any custom implementation must implement the <code>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</code> interface.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"idTokenIssuer" : {
"title" : "Name of OpenID Connect ID Token Issuer",
"description" : "Value must match the iss field in issued ID Token",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/persistentcookie
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
/realm-config/authentication/modules/persistentcookie/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"useHttpOnlyCookie" : {
"title" : "Use HTTP only cookie",
"description" : "Sets the persistent cookie as \"HttpOnly\"",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"idleTimeout" : {
"title" : "Idle Timeout",
"description" : "The maximum idle time between requests before the cookie is invalidated, in hours.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"maxLife" : {
"title" : "Max Life",
"description" : "The maximum length of time the persistent cookie is valid for, in hours.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"cookieName" : {
"title" : "Persistent Cookie Name",
"description" : "Sets the name of the persistent cookie",
"required" : true,
"type" : "string"
},
"hmacKey" : {
"title" : "HMAC Signing Key",
"description" : "Base64-encoded 256-bit key to use for HMAC signing of the cookie.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"format" : "password"
},
"useSecureCookie" : {
"title" : "Use secure cookie",
"description" : "Sets the persistent cookie as \"Secure\"",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"enforceClientIP" : {
"title" : "Enforce Client IP",
"description" : "Enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
}
/realm-config/authentication/modules/radius
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
/realm-config/authentication/modules/radius/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"serverPortNumber" : {
"title" : "Port Number",
"description" : "Port number on which the RADIUS server is listening.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"healthCheckInterval" : {
"title" : "Health check interval",
"description" : "The interval between checks to unavailable RADIUS servers, in minutes. <br><br>Determines how often OpenAM checks an offline server's status. The check will send an invalid authentication request to the RADIUS server. Offline servers will not be used until the healthcheck was successful. Primary servers that become available will be used in preference to secondary servers.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"primaryRadiusServers" : {
"title" : "Primary Radius Servers",
"description" : "A list of primary Radius servers that will be used for authentication<br><br>The module will use these servers in preference to the secondary servers. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"secondaryRadiusServers" : {
"title" : "Secondary Radius Servers",
"description" : "A list of secondary Radius servers that will be used for authentication, in case the primary servers are unavailable.<br><br>The module will use secondary servers for authentication if all primary servers are unavailable. A single entry must be in the format:<br/><br/><code>radius_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a Radius server. The format is:<br/><br/><code>local server name | radius_server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"serverTimeout" : {
"title" : "Timeout",
"description" : "Amount of time in seconds to wait for the RADIUS server response.<br><br>This sets the <code>SO_TIMEOUT</code> timeout on the packet. ",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"sharedSecret" : {
"title" : "Shared Secret",
"description" : "The secret shared between the RADIUS server and the authentication module.",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"format" : "password"
}
}
}
/realm-config/authentication/modules/sae
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/sae/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
}
}
/realm-config/authentication/modules/scripted
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/scripted/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"clientScriptEnabled" : {
"title" : "Client-side Script Enabled",
"description" : "Enable this setting if the client-side script should be executed.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"serverScript" : {
"title" : "Server-side Script",
"description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"clientScript" : {
"title" : "Client-side Script",
"description" : "The client-side script.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/securid
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
},
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
},
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/securid/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
},
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
},
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
},
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"required" : true,
"type" : "integer"
},
"serverConfigPath" : {
"title" : "ACE/Server Configuration Path",
"description" : "The path to the ACE/Server configuration files",
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/windowsdesktopsso
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/windowsdesktopsso/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file<br><br>This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.<br><br>If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.<br><br>If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under <i>Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name</i>.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean"
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication<br><br>This principal must match the name used in the keytab file created from the Active Directory server.<br/>The format of the field is as follows:<br/><br/><code>HTTP/openam.forgerock.com@AD_DOMAIN.COM</code>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/windowsnt
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
/realm-config/authentication/modules/windowsnt/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticationDomain" : {
"title" : "Authentication Domain",
"description" : "The name of the Windows Domain used for authentication",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"authenticationHost" : {
"title" : "Authentication Host",
"description" : "The name of the Windows NT Domain Controller.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"sambaConfigurationFileName" : {
"title" : "Samba Configuration File Name",
"description" : "The path to the Samba configuration file.<br><br>The Windows NT authentication module uses the <code>smbclient</code> command to validate the user credentials against the Windows domain controller. <br/><br/>For example: <code>/opt/openam/smb.conf</code><br/><br/><i>NB </i>The <code>smbclient</code> command must be available in the <code>PATH</code> environmental variable associated with OpenAM.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
/realm-config/federation/circlesoftrust
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"saml2ReaderServiceUrl" : {
"title" : "SAML2 Reader Service URL",
"description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.",
"propertyOrder" : 500,
"required" : false,
"type" : "string"
},
"trustedProviders" : {
"title" : "Entity Providers",
"description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Status",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"description" : {
"title" : "Description",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"saml2WriterServiceUrl" : {
"title" : "SAML2 Writer Service URL",
"description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.",
"propertyOrder" : 400,
"required" : false,
"type" : "string"
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"saml2ReaderServiceUrl" : {
"title" : "SAML2 Reader Service URL",
"description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.",
"propertyOrder" : 500,
"required" : false,
"type" : "string"
},
"trustedProviders" : {
"title" : "Entity Providers",
"description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Status",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"description" : {
"title" : "Description",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"saml2WriterServiceUrl" : {
"title" : "SAML2 Writer Service URL",
"description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.",
"propertyOrder" : 400,
"required" : false,
"type" : "string"
}
}
}
/realm-config/federation/circlesoftrust/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"saml2ReaderServiceUrl" : {
"title" : "SAML2 Reader Service URL",
"description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.",
"propertyOrder" : 500,
"required" : false,
"type" : "string"
},
"trustedProviders" : {
"title" : "Entity Providers",
"description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Status",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"description" : {
"title" : "Description",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"saml2WriterServiceUrl" : {
"title" : "SAML2 Writer Service URL",
"description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.",
"propertyOrder" : 400,
"required" : false,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"saml2ReaderServiceUrl" : {
"title" : "SAML2 Reader Service URL",
"description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.",
"propertyOrder" : 500,
"required" : false,
"type" : "string"
},
"trustedProviders" : {
"title" : "Entity Providers",
"description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Status",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"description" : {
"title" : "Description",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"saml2WriterServiceUrl" : {
"title" : "SAML2 Writer Service URL",
"description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.",
"propertyOrder" : 400,
"required" : false,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"saml2ReaderServiceUrl" : {
"title" : "SAML2 Reader Service URL",
"description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.",
"propertyOrder" : 500,
"required" : false,
"type" : "string"
},
"trustedProviders" : {
"title" : "Entity Providers",
"description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Status",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"description" : {
"title" : "Description",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"saml2WriterServiceUrl" : {
"title" : "SAML2 Writer Service URL",
"description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.",
"propertyOrder" : 400,
"required" : false,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"saml2ReaderServiceUrl" : {
"title" : "SAML2 Reader Service URL",
"description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.",
"propertyOrder" : 500,
"required" : false,
"type" : "string"
},
"trustedProviders" : {
"title" : "Entity Providers",
"description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"status" : {
"title" : "Status",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
},
"description" : {
"title" : "Description",
"propertyOrder" : 100,
"required" : false,
"type" : "string"
},
"saml2WriterServiceUrl" : {
"title" : "SAML2 Writer Service URL",
"description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.",
"propertyOrder" : 400,
"required" : false,
"type" : "string"
}
}
}
/realm-config/federation/entityproviders/idff
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/federation/entityproviders/idff/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/federation/entityproviders/saml2
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/federation/entityproviders/saml2/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/federation/entityproviders/ws
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/federation/entityproviders/ws/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"entityConfig" : {
"title" : "Entity Configuration",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"metadata" : {
"title" : "Metadata",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
/realm-config/services
1.0
The collection of services available on a realm.
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Find services provisioned for the realm - query for a particular service by identifier, or request all services using _queryFilter=true
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier for the service - used to construct the subpath for the service"
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "The user-facing name of the service"
}
}
}
/realm-config/services/RemoteConsentService
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"consentResponseTimeLimit" : {
"title" : "Consent Response Time Limit (in minutes)",
"description" : "The time limit set on the consent response JWT before it expires, in minutes.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"jwkStoreCacheTimeout" : {
"title" : "JWK Store Cache Timeout (in minutes)",
"description" : "The cache timeout for the JWK store of the authorization server, in minutes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"clientId" : {
"title" : "Client Name",
"description" : "The name used to identify this OAuth 2.0 remote consent service when referencedin other services.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWK Store Cache Miss Cache Time (in minutes)",
"description" : "The length of time a cache miss is cached, in minutes.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"jwksUriAS" : {
"title" : "Authorization Server jwk_uri",
"description" : "The jwk_uri for retrieving the authorization server signing and encryption keys.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"signingKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "The alias of the key in the default keystore to use for signing.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"encryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "The alias of the key in the default keystore to use for encryption.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"consentResponseTimeLimit" : {
"title" : "Consent Response Time Limit (in minutes)",
"description" : "The time limit set on the consent response JWT before it expires, in minutes.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"jwkStoreCacheTimeout" : {
"title" : "JWK Store Cache Timeout (in minutes)",
"description" : "The cache timeout for the JWK store of the authorization server, in minutes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"clientId" : {
"title" : "Client Name",
"description" : "The name used to identify this OAuth 2.0 remote consent service when referencedin other services.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWK Store Cache Miss Cache Time (in minutes)",
"description" : "The length of time a cache miss is cached, in minutes.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"jwksUriAS" : {
"title" : "Authorization Server jwk_uri",
"description" : "The jwk_uri for retrieving the authorization server signing and encryption keys.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"signingKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "The alias of the key in the default keystore to use for signing.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"encryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "The alias of the key in the default keystore to use for encryption.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"consentResponseTimeLimit" : {
"title" : "Consent Response Time Limit (in minutes)",
"description" : "The time limit set on the consent response JWT before it expires, in minutes.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"jwkStoreCacheTimeout" : {
"title" : "JWK Store Cache Timeout (in minutes)",
"description" : "The cache timeout for the JWK store of the authorization server, in minutes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"clientId" : {
"title" : "Client Name",
"description" : "The name used to identify this OAuth 2.0 remote consent service when referencedin other services.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWK Store Cache Miss Cache Time (in minutes)",
"description" : "The length of time a cache miss is cached, in minutes.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"jwksUriAS" : {
"title" : "Authorization Server jwk_uri",
"description" : "The jwk_uri for retrieving the authorization server signing and encryption keys.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"signingKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "The alias of the key in the default keystore to use for signing.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"encryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "The alias of the key in the default keystore to use for encryption.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"consentResponseTimeLimit" : {
"title" : "Consent Response Time Limit (in minutes)",
"description" : "The time limit set on the consent response JWT before it expires, in minutes.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"jwkStoreCacheTimeout" : {
"title" : "JWK Store Cache Timeout (in minutes)",
"description" : "The cache timeout for the JWK store of the authorization server, in minutes.",
"propertyOrder" : 500,
"required" : true,
"type" : "integer"
},
"clientId" : {
"title" : "Client Name",
"description" : "The name used to identify this OAuth 2.0 remote consent service when referencedin other services.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"jwkStoreCacheMissCacheTime" : {
"title" : "JWK Store Cache Miss Cache Time (in minutes)",
"description" : "The length of time a cache miss is cached, in minutes.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"jwksUriAS" : {
"title" : "Authorization Server jwk_uri",
"description" : "The jwk_uri for retrieving the authorization server signing and encryption keys.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"signingKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "The alias of the key in the default keystore to use for signing.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"encryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "The alias of the key in the default keystore to use for encryption.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/amSessionPropertyWhitelist
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sessionPropertyWhitelist" : {
"title" : "Whitelisted Session Property Names",
"description" : "A list of properties that users may read, edit the value of, or delete from their session.<p><p> Adding properties to sessions can impact OpenAM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an OpenAM deployment in the following areas: <ul><li>OpenAM server memory</li><li>OpenDJ storage</li><li>OpenDJ replication</li></ul><p>Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sessionPropertyWhitelist" : {
"title" : "Whitelisted Session Property Names",
"description" : "A list of properties that users may read, edit the value of, or delete from their session.<p><p> Adding properties to sessions can impact OpenAM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an OpenAM deployment in the following areas: <ul><li>OpenAM server memory</li><li>OpenDJ storage</li><li>OpenDJ replication</li></ul><p>Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sessionPropertyWhitelist" : {
"title" : "Whitelisted Session Property Names",
"description" : "A list of properties that users may read, edit the value of, or delete from their session.<p><p> Adding properties to sessions can impact OpenAM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an OpenAM deployment in the following areas: <ul><li>OpenAM server memory</li><li>OpenDJ storage</li><li>OpenDJ replication</li></ul><p>Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sessionPropertyWhitelist" : {
"title" : "Whitelisted Session Property Names",
"description" : "A list of properties that users may read, edit the value of, or delete from their session.<p><p> Adding properties to sessions can impact OpenAM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an OpenAM deployment in the following areas: <ul><li>OpenAM server memory</li><li>OpenDJ storage</li><li>OpenDJ replication</li></ul><p>Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/audit
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"fieldFilterPolicy" : {
"title" : "Field exclusion policies",
"description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"auditEnabled" : {
"title" : "Audit logging",
"description" : "Enable audit logging in OpenAM.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/audit/CSV
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/CSV/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"csvFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"csvBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingAutoFlush" : {
"title" : "Flush Each Event Immediately",
"description" : "Performance may be improved by writing all buffered events before flushing.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables buffering.",
"propertyOrder" : 1500,
"required" : true,
"type" : "boolean"
}
}
},
"csvSecurity" : {
"type" : "object",
"title" : "Tamper Evident Configuration",
"propertyOrder" : 6,
"properties" : {
"securityPassword" : {
"title" : "Certificate Store Password",
"description" : "Password for Java keystore.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string",
"format" : "password"
},
"securityEnabled" : {
"title" : "Is Enabled",
"description" : "Enables the CSV tamper evident feature.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"securityFilename" : {
"title" : "Certificate Store Location",
"description" : "Path to Java keystore.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"securitySignatureInterval" : {
"title" : "Signature Interval",
"description" : "Signature generation interval, in seconds.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
}
}
},
"csvFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"csvConfig" : {
"type" : "object",
"title" : "CSV Configuration",
"propertyOrder" : 2,
"properties" : {
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log CSV files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 2100,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/Elasticsearch
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/realm-config/services/audit/Elasticsearch/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"elasticsearchConfig" : {
"type" : "object",
"title" : "Elasticsearch Configuration",
"propertyOrder" : 2,
"properties" : {
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
"propertyOrder" : 5300,
"required" : true,
"type" : "boolean"
},
"index" : {
"title" : "Elasticsearch Index",
"description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server Port",
"description" : "Specifies the port number used to access Elasticsearch's REST API.",
"propertyOrder" : 5200,
"required" : true,
"type" : "integer"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of the Elasticsearch server.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 6100,
"required" : true,
"type" : "string"
}
}
},
"elasticsearchAuthentication" : {
"type" : "object",
"title" : "Authentication",
"propertyOrder" : 3,
"properties" : {
"username" : {
"title" : "Username",
"description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5500,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Password",
"description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
"propertyOrder" : 5600,
"required" : true,
"type" : "string",
"format" : "password"
}
}
},
"elasticsearchBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 4,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
"propertyOrder" : 5900,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
"propertyOrder" : 6000,
"required" : true,
"type" : "integer"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"propertyOrder" : 5700,
"required" : true,
"type" : "boolean"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000)",
"propertyOrder" : 5800,
"required" : true,
"type" : "integer"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 5000,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 4900,
"required" : true,
"type" : "boolean"
}
}
}
}
}
/realm-config/services/audit/JDBC
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/JDBC/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 3100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 3200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jdbcDatabaseConfig" : {
"type" : "object",
"title" : "Database Configuration",
"propertyOrder" : 2,
"properties" : {
"idleTimeout" : {
"title" : "Maximum Connection Idle Timeout (seconds)",
"description" : "Specifies the maximum idle time before the connection is closed, in seconds.",
"propertyOrder" : 3900,
"required" : true,
"type" : "string"
},
"username" : {
"title" : "Database Username",
"description" : "Specifies the username to access the database server.",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"maxPoolSize" : {
"title" : "Maximum Connections",
"description" : "Specifies the maximum number of connections in the connection pool.",
"propertyOrder" : 4200,
"required" : true,
"type" : "string"
},
"password" : {
"title" : "Database Password",
"description" : "Specifies the password to access the database server.",
"propertyOrder" : 3700,
"required" : true,
"type" : "string",
"format" : "password"
},
"connectionTimeout" : {
"title" : "Connection Timeout (seconds)",
"description" : "Specifies the maximum wait time before failing the connection, in seconds.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"jdbcUrl" : {
"title" : "JDBC Database URL",
"description" : "URL of the JDBC database.",
"propertyOrder" : 3400,
"required" : true,
"type" : "string"
},
"maxLifetime" : {
"title" : "Maximum Connection Time (seconds)",
"description" : "Specifies the maximum time a JDBC connection can be open, in seconds.",
"propertyOrder" : 4000,
"required" : true,
"type" : "string"
},
"minIdle" : {
"title" : "Minimum Idle Connections",
"description" : "Specifies the minimum number of idle connections in the connection pool.",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"databaseType" : {
"title" : "Database Type",
"description" : "Select the database to use for logging audit events.<br><br>Identifies the database in use, for example MySQL, Oracle, or SQL.",
"propertyOrder" : 3300,
"required" : true,
"type" : "string"
},
"driverClassName" : {
"title" : "JDBC Driver",
"description" : "Fully qualified JDBC driver class name.",
"propertyOrder" : 3500,
"required" : true,
"type" : "string"
}
}
},
"jdbcBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingMaxSize" : {
"title" : "Buffer Size (number of events)",
"description" : "Size of the queue where events are buffered before they are written to the database.<br><br>This queue has to be big enough to store all incoming events that have not yet been written to the database.<p>If the queue reaches capacity, the process will block until a write occurs.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string"
},
"bufferingMaxBatchedEvents" : {
"title" : "Max Batched Events",
"description" : "Specifies the maximum number of batched statements the database can support per connection.",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"bufferingWriterThreads" : {
"title" : "Writer Threads",
"description" : "Specifies the number of threads used to write the buffered events.",
"propertyOrder" : 4600,
"required" : true,
"type" : "string"
},
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 4300,
"required" : true,
"type" : "boolean"
},
"bufferingWriteInterval" : {
"title" : "Write Interval",
"description" : "Specifies the interval (seconds) at which buffered events are written to the database.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 4800,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/JMS
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
}
}
},
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
}
}
},
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/JMS/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
}
}
},
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
}
}
},
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
}
}
},
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"batchEvents" : {
"type" : "object",
"title" : "Batch Events",
"propertyOrder" : 3,
"properties" : {
"maxBatchedEvents" : {
"title" : "Max Batched",
"description" : "Maximum number of events per batch.",
"propertyOrder" : 7100,
"required" : true,
"type" : "integer"
},
"shutdownTimeoutSec" : {
"title" : "Shutdown Timeout",
"description" : "Application waiting period (seconds) for worker thread termination.",
"propertyOrder" : 7500,
"required" : true,
"type" : "integer"
},
"insertTimeoutSec" : {
"title" : "Insert Timeout",
"description" : "Waiting period (seconds) for available capacity, when a new event enters the queue.",
"propertyOrder" : 7300,
"required" : true,
"type" : "integer"
},
"batchEnabled" : {
"title" : "Batch enabled",
"description" : "Boolean for batch delivery of audit events.",
"propertyOrder" : 6900,
"required" : true,
"type" : "boolean"
},
"pollTimeoutSec" : {
"title" : "Polling Timeout",
"description" : "Worker thread waiting period (seconds) for the next event, before going idle.",
"propertyOrder" : 7400,
"required" : true,
"type" : "integer"
},
"batchThreadCount" : {
"title" : "Thread Count",
"description" : "Number of concurrent threads that pull events from the batch queue.",
"propertyOrder" : 7200,
"required" : true,
"type" : "integer"
},
"batchCapacity" : {
"title" : "Capacity",
"description" : "Maximum event count in the batch queue; additional events are dropped.",
"propertyOrder" : 7000,
"required" : true,
"type" : "integer"
}
}
},
"jmsConfiguration" : {
"type" : "object",
"title" : "JMS Configuration",
"propertyOrder" : 2,
"properties" : {
"jndiTopicName" : {
"title" : "JMS Topic Name",
"description" : "JNDI lookup name for the JMS topic",
"propertyOrder" : 6700,
"required" : true,
"type" : "string"
},
"jndiConnectionFactoryName" : {
"title" : "JMS Connection Factory Name",
"description" : "Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker's connection factory.<p><p>See the documentation for your JMS message broker for the required value.<p>The default is the connection factory name for Apache ActiveMQ.",
"propertyOrder" : 6800,
"required" : true,
"type" : "string"
},
"sessionMode" : {
"title" : "Session Mode",
"description" : "Specifies the JMS session acknowledgement mode: <code>AUTO</code>, <code>CLIENT</code>, or <code>DUPS_OK</code>.<p><ul><li>Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.</li><li>Duplicates OK mode ensures that messages are delivered at least once.</li><li>Client mode does not ensure delivery.</li></ul><p>Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.",
"propertyOrder" : 6500,
"required" : true,
"type" : "string"
},
"jndiContextProperties" : {
"title" : "JNDI Context Properties",
"description" : "Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.<p><p>OpenAM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for OpenAM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.<p>The default properties are example properties for connecting to Apache ActiveMQ.",
"propertyOrder" : 6600,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"deliveryMode" : {
"title" : "Delivery Mode",
"description" : "Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.<p><p>With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.<p>Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.",
"propertyOrder" : 6400,
"required" : true,
"type" : "string"
}
}
},
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 6300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 6200,
"required" : true,
"type" : "boolean"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 7600,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/JSON
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/JSON/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"jsonFileRetention" : {
"type" : "object",
"title" : "File Retention",
"propertyOrder" : 4,
"properties" : {
"retentionMaxDiskSpaceToUse" : {
"title" : "Maximum Disk Space",
"description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"retentionMaxNumberOfHistoryFiles" : {
"title" : "Maximum Number of Historical Files",
"description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"retentionMinFreeSpaceRequired" : {
"title" : "Minimum Free Space Required",
"description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
},
"jsonBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 5,
"properties" : {
"bufferingMaxSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 100000)",
"propertyOrder" : 1500,
"required" : true,
"type" : "string"
},
"bufferingWriteInterval" : {
"title" : "Write interval",
"description" : "Interval at which buffered events are written to a file, in milliseconds.",
"propertyOrder" : 1600,
"required" : true,
"type" : "string"
}
}
},
"jsonConfig" : {
"type" : "object",
"title" : "JSON Configuration",
"propertyOrder" : 2,
"properties" : {
"elasticsearchCompatible" : {
"title" : "ElasticSearch JSON Format Compatible",
"description" : "JSON format should be transformed to be compatible with ElasticSearch format restrictions.",
"propertyOrder" : 1700,
"required" : true,
"type" : "boolean"
},
"rotationRetentionCheckInterval" : {
"title" : "File Rotation Retention Check Interval",
"description" : "Interval to check time-based file rotation policies, in seconds.",
"propertyOrder" : 1800,
"required" : true,
"type" : "string"
},
"location" : {
"title" : "Log Directory",
"description" : "Directory in which to store audit log JSON files.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
}
}
},
"jsonFileRotation" : {
"type" : "object",
"title" : "File Rotation",
"propertyOrder" : 3,
"properties" : {
"rotationFilePrefix" : {
"title" : "File Rotation Prefix",
"description" : "Prefix to prepend to audit files when rotating audit files.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"rotationEnabled" : {
"title" : "Rotation Enabled",
"description" : "Enables and disables audit file rotation.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"rotationTimes" : {
"title" : "Rotation Times",
"description" : "Durations after midnight to trigger file rotation, in seconds.",
"propertyOrder" : 1100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"rotationInterval" : {
"title" : "Rotation Interval",
"description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"rotationMaxFileSize" : {
"title" : "Maximum File Size",
"description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"rotationFileSuffix" : {
"title" : "File Rotation Suffix",
"description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 1900,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/Splunk
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
}
}
}
}
/realm-config/services/audit/Splunk/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"required" : true,
"type" : "string"
}
}
},
"splunkConfig" : {
"type" : "object",
"title" : "Splunk Configuration",
"propertyOrder" : 2,
"properties" : {
"port" : {
"title" : "Server Port",
"description" : "Port number of Splunk server.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "SSL Enabled",
"description" : "Use HTTPS protocol for communication with Splunk.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"host" : {
"title" : "Server Hostname",
"description" : "Host name or IP address of Splunk server.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authzToken" : {
"title" : "Authorization Token",
"description" : "Authorization token used to connect to Splunk HTTP Event Collector endpoint.",
"required" : true,
"type" : "string"
}
}
},
"splunkBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"maxEvents" : {
"title" : "Queue Capacity",
"description" : "Maximum number of audit evens in the batch queue; additional events are dropped.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"writeInterval" : {
"title" : "Write interval (in milliseconds)",
"description" : "Interval at which buffered events are written to Splunk.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"batchSize" : {
"title" : "Batch Size",
"description" : "Maximum number of events that can be buffered (default: 10000).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
}
}
}
}
}
/realm-config/services/audit/Syslog
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/audit/Syslog/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonHandler" : {
"type" : "object",
"title" : "General Handler Configuration",
"propertyOrder" : 0,
"properties" : {
"topics" : {
"title" : "Topics",
"description" : "List of topics handled by an audit event handler.",
"propertyOrder" : 2300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"enabled" : {
"title" : "Enabled",
"description" : "Enables or disables an audit event handler.",
"propertyOrder" : 2200,
"required" : true,
"type" : "boolean"
}
}
},
"sysLogConfig" : {
"type" : "object",
"title" : "Syslog Configuration",
"propertyOrder" : 2,
"properties" : {
"transportProtocol" : {
"title" : "Transport Protocol",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"facility" : {
"title" : "Facility",
"description" : "Syslog facility value to apply to all events.",
"propertyOrder" : 2800,
"required" : true,
"type" : "string"
},
"host" : {
"title" : "Server hostname",
"description" : "Host name or IP address of receiving syslog server.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Server port",
"description" : "Port number of receiving syslog server.",
"propertyOrder" : 2500,
"required" : true,
"type" : "string"
},
"connectTimeout" : {
"title" : "Connection timeout",
"description" : "Timeout for connecting to syslog server, in seconds.",
"propertyOrder" : 2700,
"required" : true,
"type" : "string"
}
}
},
"sysLogBuffering" : {
"type" : "object",
"title" : "Buffering",
"propertyOrder" : 3,
"properties" : {
"bufferingEnabled" : {
"title" : "Buffering Enabled",
"description" : "Enables or disables audit event buffering.",
"propertyOrder" : 2900,
"required" : true,
"type" : "boolean"
},
"bufferingMaxSize" : {
"title" : "Buffer Size",
"description" : "Maximum number of events that can be buffered (default/minimum: 5000)",
"propertyOrder" : 2950,
"required" : true,
"type" : "string"
}
}
},
"commonHandlerPlugin" : {
"type" : "object",
"title" : "Audit Event Handler Factory",
"propertyOrder" : 1,
"properties" : {
"handlerFactory" : {
"title" : "Factory Class Name",
"description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
"propertyOrder" : 3000,
"required" : true,
"type" : "string"
}
}
}
}
}
/realm-config/services/authenticatorOathService
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorOATHDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password will be encrypted.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"oathAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorOATHSkippableName" : {
"title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
"description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorOATHDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password will be encrypted.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"oathAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorOATHSkippableName" : {
"title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
"description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorOATHDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password will be encrypted.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"oathAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorOATHSkippableName" : {
"title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
"description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorOATHDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password will be encrypted.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"oathAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"authenticatorOATHSkippableName" : {
"title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
"description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
},
"authenticatorOATHDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/authenticatorPushService
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushSkippableName" : {
"title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name",
"description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"pushAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushSkippableName" : {
"title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name",
"description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"pushAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushSkippableName" : {
"title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name",
"description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"pushAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushSkippableName" : {
"title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name",
"description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"format" : "password"
},
"authenticatorPushDeviceSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"authenticatorPushDeviceSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"pushAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/baseurl
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"contextPath" : {
"title" : "Context path",
"description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"source" : {
"title" : "Base URL Source",
"description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"extensionClassName" : {
"title" : "Extension class name",
"description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"fixedValue" : {
"title" : "Fixed value base URL",
"description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"contextPath" : {
"title" : "Context path",
"description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"source" : {
"title" : "Base URL Source",
"description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"extensionClassName" : {
"title" : "Extension class name",
"description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"fixedValue" : {
"title" : "Fixed value base URL",
"description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"contextPath" : {
"title" : "Context path",
"description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"source" : {
"title" : "Base URL Source",
"description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"extensionClassName" : {
"title" : "Extension class name",
"description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"fixedValue" : {
"title" : "Fixed value base URL",
"description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"contextPath" : {
"title" : "Context path",
"description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"source" : {
"title" : "Base URL Source",
"description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"extensionClassName" : {
"title" : "Extension class name",
"description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"fixedValue" : {
"title" : "Fixed value base URL",
"description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/dashboard
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Available Dashboard Apps",
"description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Available Dashboard Apps",
"description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Available Dashboard Apps",
"description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Available Dashboard Apps",
"description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/deviceIdService
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"deviceIdSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"deviceIdSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"deviceIdSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"deviceIdSettingsEncryptionKeystorePassword" : {
"title" : "Key Store Password",
"description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
"propertyOrder" : 500,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
"title" : "Private Key Password",
"description" : "Password to unlock the private key.",
"propertyOrder" : 700,
"required" : false,
"type" : "string",
"format" : "password"
},
"deviceIdAttrName" : {
"title" : "Profile Storage Attribute",
"description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreType" : {
"title" : "Key Store Type",
"description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionScheme" : {
"title" : "Device Profile Encryption Scheme",
"description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystore" : {
"title" : "Encryption Key Store",
"description" : "Path to the key store from which to load encryption keys.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
"title" : "Key-Pair Alias",
"description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
"propertyOrder" : 600,
"required" : false,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/email
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"message" : {
"title" : "Email Content",
"description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"emailAddressAttribute" : {
"title" : "Email Attribute Name",
"description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Mail Server Host Port",
"description" : "Specifies the port number for the SMTP mail server.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "Specifies the password for the SMTP user name.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"emailImplClassName" : {
"title" : "Email Message Implementation Class",
"description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"hostname" : {
"title" : "Mail Server Host Name",
"description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "smtp.example.com"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "Specifies the user name for the SMTP mail server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "username"
},
"from" : {
"title" : "Email From Address",
"description" : "Specifies the address from which to send email notifications.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "no-reply@example.com"
},
"subject" : {
"title" : "Email Subject",
"description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"sslState" : {
"title" : "Mail Server Secure Connection",
"description" : "Specifies whether to connect to the SMTP mail server using SSL.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"message" : {
"title" : "Email Content",
"description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"emailAddressAttribute" : {
"title" : "Email Attribute Name",
"description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Mail Server Host Port",
"description" : "Specifies the port number for the SMTP mail server.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "Specifies the password for the SMTP user name.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"emailImplClassName" : {
"title" : "Email Message Implementation Class",
"description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"hostname" : {
"title" : "Mail Server Host Name",
"description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "smtp.example.com"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "Specifies the user name for the SMTP mail server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "username"
},
"from" : {
"title" : "Email From Address",
"description" : "Specifies the address from which to send email notifications.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "no-reply@example.com"
},
"subject" : {
"title" : "Email Subject",
"description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"sslState" : {
"title" : "Mail Server Secure Connection",
"description" : "Specifies whether to connect to the SMTP mail server using SSL.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"message" : {
"title" : "Email Content",
"description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"emailAddressAttribute" : {
"title" : "Email Attribute Name",
"description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Mail Server Host Port",
"description" : "Specifies the port number for the SMTP mail server.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "Specifies the password for the SMTP user name.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"emailImplClassName" : {
"title" : "Email Message Implementation Class",
"description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"hostname" : {
"title" : "Mail Server Host Name",
"description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "smtp.example.com"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "Specifies the user name for the SMTP mail server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "username"
},
"from" : {
"title" : "Email From Address",
"description" : "Specifies the address from which to send email notifications.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "no-reply@example.com"
},
"subject" : {
"title" : "Email Subject",
"description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"sslState" : {
"title" : "Mail Server Secure Connection",
"description" : "Specifies whether to connect to the SMTP mail server using SSL.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"message" : {
"title" : "Email Content",
"description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"emailAddressAttribute" : {
"title" : "Email Attribute Name",
"description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"port" : {
"title" : "Mail Server Host Port",
"description" : "Specifies the port number for the SMTP mail server.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"password" : {
"title" : "Mail Server Authentication Password",
"description" : "Specifies the password for the SMTP user name.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"format" : "password"
},
"emailImplClassName" : {
"title" : "Email Message Implementation Class",
"description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"hostname" : {
"title" : "Mail Server Host Name",
"description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "smtp.example.com"
},
"username" : {
"title" : "Mail Server Authentication Username",
"description" : "Specifies the user name for the SMTP mail server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "username"
},
"from" : {
"title" : "Email From Address",
"description" : "Specifies the address from which to send email notifications.",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : "no-reply@example.com"
},
"subject" : {
"title" : "Email Subject",
"description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"sslState" : {
"title" : "Mail Server Secure Connection",
"description" : "Specifies whether to connect to the SMTP mail server using SSL.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/globalization
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonNameFormats" : {
"title" : "Auto Generated Common Name Format",
"description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonNameFormats" : {
"title" : "Auto Generated Common Name Format",
"description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonNameFormats" : {
"title" : "Auto Generated Common Name Format",
"description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"commonNameFormats" : {
"title" : "Auto Generated Common Name Format",
"description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/id-repositories
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sunIdRepoAttributeValidator" : {
"title" : "Attribute Validator Plug-in",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeCombiner" : {
"title" : "Attribute Combiner plug-in",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sunIdRepoAttributeValidator" : {
"title" : "Attribute Validator Plug-in",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeCombiner" : {
"title" : "Attribute Combiner plug-in",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sunIdRepoAttributeValidator" : {
"title" : "Attribute Validator Plug-in",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeCombiner" : {
"title" : "Attribute Combiner plug-in",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"sunIdRepoAttributeValidator" : {
"title" : "Attribute Validator Plug-in",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeCombiner" : {
"title" : "Attribute Combiner plug-in",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForAD
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForAD/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForADAM
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForADAM/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForAMDS
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"roleconfig" : {
"type" : "object",
"title" : "Role Configuration",
"propertyOrder" : 6,
"properties" : {
"sun-idrepo-ldapv3-config-filterrole-attributes" : {
"title" : "LDAP Filter Roles Attributes",
"propertyOrder" : 4600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrole" : {
"title" : "Attribute Name for Filtered Role Membership",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterrole-objectclass" : {
"title" : "LDAP Filter Roles Object Class",
"propertyOrder" : 4500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-filterroles-search-filter" : {
"title" : "LDAP Filter Roles Search Filter",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-objectclass" : {
"title" : "LDAP Roles Object Class",
"propertyOrder" : 4100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-roles-search-filter" : {
"title" : "LDAP Roles Search Filter",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-attributes" : {
"title" : "LDAP Roles Attributes",
"propertyOrder" : 4200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrolefilter" : {
"title" : "Attribute Name of Filtered Role Filter",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-roles-search-attribute" : {
"title" : "LDAP Roles Search Attribute",
"propertyOrder" : 3900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterroles-search-attribute" : {
"title" : "LDAP Filter Roles Search Attribute",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-nsroledn" : {
"title" : "Attribute Name of Role Membership.",
"propertyOrder" : 4800,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"roleconfig" : {
"type" : "object",
"title" : "Role Configuration",
"propertyOrder" : 6,
"properties" : {
"sun-idrepo-ldapv3-config-filterrole-attributes" : {
"title" : "LDAP Filter Roles Attributes",
"propertyOrder" : 4600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrole" : {
"title" : "Attribute Name for Filtered Role Membership",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterrole-objectclass" : {
"title" : "LDAP Filter Roles Object Class",
"propertyOrder" : 4500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-filterroles-search-filter" : {
"title" : "LDAP Filter Roles Search Filter",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-objectclass" : {
"title" : "LDAP Roles Object Class",
"propertyOrder" : 4100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-roles-search-filter" : {
"title" : "LDAP Roles Search Filter",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-attributes" : {
"title" : "LDAP Roles Attributes",
"propertyOrder" : 4200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrolefilter" : {
"title" : "Attribute Name of Filtered Role Filter",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-roles-search-attribute" : {
"title" : "LDAP Roles Search Attribute",
"propertyOrder" : 3900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterroles-search-attribute" : {
"title" : "LDAP Filter Roles Search Attribute",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-nsroledn" : {
"title" : "Attribute Name of Role Membership.",
"propertyOrder" : 4800,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForAMDS/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"roleconfig" : {
"type" : "object",
"title" : "Role Configuration",
"propertyOrder" : 6,
"properties" : {
"sun-idrepo-ldapv3-config-filterrole-attributes" : {
"title" : "LDAP Filter Roles Attributes",
"propertyOrder" : 4600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrole" : {
"title" : "Attribute Name for Filtered Role Membership",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterrole-objectclass" : {
"title" : "LDAP Filter Roles Object Class",
"propertyOrder" : 4500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-filterroles-search-filter" : {
"title" : "LDAP Filter Roles Search Filter",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-objectclass" : {
"title" : "LDAP Roles Object Class",
"propertyOrder" : 4100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-roles-search-filter" : {
"title" : "LDAP Roles Search Filter",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-attributes" : {
"title" : "LDAP Roles Attributes",
"propertyOrder" : 4200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrolefilter" : {
"title" : "Attribute Name of Filtered Role Filter",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-roles-search-attribute" : {
"title" : "LDAP Roles Search Attribute",
"propertyOrder" : 3900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterroles-search-attribute" : {
"title" : "LDAP Filter Roles Search Attribute",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-nsroledn" : {
"title" : "Attribute Name of Role Membership.",
"propertyOrder" : 4800,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"roleconfig" : {
"type" : "object",
"title" : "Role Configuration",
"propertyOrder" : 6,
"properties" : {
"sun-idrepo-ldapv3-config-filterrole-attributes" : {
"title" : "LDAP Filter Roles Attributes",
"propertyOrder" : 4600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrole" : {
"title" : "Attribute Name for Filtered Role Membership",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterrole-objectclass" : {
"title" : "LDAP Filter Roles Object Class",
"propertyOrder" : 4500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-filterroles-search-filter" : {
"title" : "LDAP Filter Roles Search Filter",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-objectclass" : {
"title" : "LDAP Roles Object Class",
"propertyOrder" : 4100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-roles-search-filter" : {
"title" : "LDAP Roles Search Filter",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-attributes" : {
"title" : "LDAP Roles Attributes",
"propertyOrder" : 4200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrolefilter" : {
"title" : "Attribute Name of Filtered Role Filter",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-roles-search-attribute" : {
"title" : "LDAP Roles Search Attribute",
"propertyOrder" : 3900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterroles-search-attribute" : {
"title" : "LDAP Filter Roles Search Attribute",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-nsroledn" : {
"title" : "Attribute Name of Role Membership.",
"propertyOrder" : 4800,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"roleconfig" : {
"type" : "object",
"title" : "Role Configuration",
"propertyOrder" : 6,
"properties" : {
"sun-idrepo-ldapv3-config-filterrole-attributes" : {
"title" : "LDAP Filter Roles Attributes",
"propertyOrder" : 4600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrole" : {
"title" : "Attribute Name for Filtered Role Membership",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterrole-objectclass" : {
"title" : "LDAP Filter Roles Object Class",
"propertyOrder" : 4500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-filterroles-search-filter" : {
"title" : "LDAP Filter Roles Search Filter",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-objectclass" : {
"title" : "LDAP Roles Object Class",
"propertyOrder" : 4100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-roles-search-filter" : {
"title" : "LDAP Roles Search Filter",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-attributes" : {
"title" : "LDAP Roles Attributes",
"propertyOrder" : 4200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrolefilter" : {
"title" : "Attribute Name of Filtered Role Filter",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-roles-search-attribute" : {
"title" : "LDAP Roles Search Attribute",
"propertyOrder" : 3900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterroles-search-attribute" : {
"title" : "LDAP Filter Roles Search Attribute",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-nsroledn" : {
"title" : "Attribute Name of Role Membership.",
"propertyOrder" : 4800,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
}
}
},
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"roleconfig" : {
"type" : "object",
"title" : "Role Configuration",
"propertyOrder" : 6,
"properties" : {
"sun-idrepo-ldapv3-config-filterrole-attributes" : {
"title" : "LDAP Filter Roles Attributes",
"propertyOrder" : 4600,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrole" : {
"title" : "Attribute Name for Filtered Role Membership",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterrole-objectclass" : {
"title" : "LDAP Filter Roles Object Class",
"propertyOrder" : 4500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-filterroles-search-filter" : {
"title" : "LDAP Filter Roles Search Filter",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-objectclass" : {
"title" : "LDAP Roles Object Class",
"propertyOrder" : 4100,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-roles-search-filter" : {
"title" : "LDAP Roles Search Filter",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-role-attributes" : {
"title" : "LDAP Roles Attributes",
"propertyOrder" : 4200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-nsrolefilter" : {
"title" : "Attribute Name of Filtered Role Filter",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-roles-search-attribute" : {
"title" : "LDAP Roles Search Attribute",
"propertyOrder" : 3900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-filterroles-search-attribute" : {
"title" : "LDAP Filter Roles Search Attribute",
"propertyOrder" : 4300,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-nsroledn" : {
"title" : "Attribute Name of Role Membership.",
"propertyOrder" : 4800,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForOpenDS
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-proxied-auth-enabled" : {
"title" : "Proxied Authorization using Bind DN",
"description" : "Enable this setting if you have configured the LDAP bind DN account for proxied authorization (DS proxied-auth privilege). Do not enable this property if the LDAP bind DN account does not have the proxied-auth privilege granted because the user would not be able to reset their password. DS and AM log an error when this occurs.",
"propertyOrder" : 850,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-proxied-auth-enabled" : {
"title" : "Proxied Authorization using Bind DN",
"description" : "Enable this setting if you have configured the LDAP bind DN account for proxied authorization (DS proxied-auth privilege). Do not enable this property if the LDAP bind DN account does not have the proxied-auth privilege granted because the user would not be able to reset their password. DS and AM log an error when this occurs.",
"propertyOrder" : 850,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForOpenDS/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-proxied-auth-enabled" : {
"title" : "Proxied Authorization using Bind DN",
"description" : "Enable this setting if you have configured the LDAP bind DN account for proxied authorization (DS proxied-auth privilege). Do not enable this property if the LDAP bind DN account does not have the proxied-auth privilege granted because the user would not be able to reset their password. DS and AM log an error when this occurs.",
"propertyOrder" : 850,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-proxied-auth-enabled" : {
"title" : "Proxied Authorization using Bind DN",
"description" : "Enable this setting if you have configured the LDAP bind DN account for proxied authorization (DS proxied-auth privilege). Do not enable this property if the LDAP bind DN account does not have the proxied-auth privilege granted because the user would not be able to reset their password. DS and AM log an error when this occurs.",
"propertyOrder" : 850,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-proxied-auth-enabled" : {
"title" : "Proxied Authorization using Bind DN",
"description" : "Enable this setting if you have configured the LDAP bind DN account for proxied authorization (DS proxied-auth privilege). Do not enable this property if the LDAP bind DN account does not have the proxied-auth privilege granted because the user would not be able to reset their password. DS and AM log an error when this occurs.",
"propertyOrder" : 850,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-proxied-auth-enabled" : {
"title" : "Proxied Authorization using Bind DN",
"description" : "Enable this setting if you have configured the LDAP bind DN account for proxied authorization (DS proxied-auth privilege). Do not enable this property if the LDAP bind DN account does not have the proxied-auth privilege granted because the user would not be able to reset their password. DS and AM log an error when this occurs.",
"propertyOrder" : 850,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-memberurl" : {
"title" : "Attribute Name of Group Member URL",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5410,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForTivoli
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5340,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5340,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
/realm-config/services/id-repositories/LDAPv3ForTivoli/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5340,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5340,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5340,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"ldapsettings" : {
"type" : "object",
"title" : "Server Settings",
"propertyOrder" : 0,
"properties" : {
"sun-idrepo-ldapv3-config-connection_pool_max_size" : {
"title" : "LDAP Connection Pool Maximum Size",
"propertyOrder" : 1200,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-ldap-server" : {
"title" : "LDAP Server",
"description" : "Format: LDAP server host name:port | server_ID | site_ID",
"propertyOrder" : 600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-search-scope" : {
"title" : "LDAPv3 Plug-in Search Scope",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authid" : {
"title" : "LDAP Bind DN",
"description" : "A user or admin with sufficient access rights to perform the supported operations.",
"propertyOrder" : 700,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-interval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
"propertyOrder" : 1300,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-config-max-result" : {
"title" : "Maximum Results Returned from Search",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"openam-idrepo-ldapv3-behera-support-enabled" : {
"title" : "Behera Support Enabled",
"description" : "When enabled, Behera draft control will be used in the outgoing requests for operations that may modify password value. This will allow OpenAM to display password policy related error messages when password policies are not met.",
"propertyOrder" : 6100,
"required" : false,
"type" : "boolean"
},
"sun-idrepo-ldapv3-config-connection-mode" : {
"title" : "LDAP Connection Mode",
"description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"openam-idrepo-ldapv3-heartbeat-timeunit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-authpw" : {
"title" : "LDAP Bind Password",
"propertyOrder" : 800,
"required" : false,
"type" : "string",
"format" : "password"
},
"sun-idrepo-ldapv3-config-organization_name" : {
"title" : "LDAP Organization DN",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"sun-idrepo-ldapv3-config-time-limit" : {
"title" : "Search Timeout",
"description" : "In seconds.",
"propertyOrder" : 1600,
"required" : false,
"type" : "integer"
}
}
},
"userconfig" : {
"type" : "object",
"title" : "User Configuration",
"propertyOrder" : 3,
"properties" : {
"sun-idrepo-ldapv3-config-isactive" : {
"title" : "Attribute Name of User Status",
"propertyOrder" : 2600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-active" : {
"title" : "User Status Active Value",
"propertyOrder" : 2700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
"title" : "Knowledge Based Authentication Active Index",
"propertyOrder" : 5400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-attribute" : {
"title" : "LDAP Users Search Attribute",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-objectclass" : {
"title" : "LDAP User Object Class",
"propertyOrder" : 2300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-users-search-filter" : {
"title" : "LDAP Users Search Filter",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : {
"title" : "Knowledge Based Authentication Attempts Attribute Name",
"propertyOrder" : 5340,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-value" : {
"title" : "LDAP People Container Value",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-auth-kba-attr" : {
"title" : "Knowledge Based Authentication Attribute Name",
"propertyOrder" : 5300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
"title" : "Create User Attribute Mapping",
"description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
"propertyOrder" : 2500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-people-container-name" : {
"title" : "LDAP People Container Naming Attribute",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-inactive" : {
"title" : "User Status Inactive Value",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-user-attributes" : {
"title" : "LDAP User Attributes",
"propertyOrder" : 2400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"authentication" : {
"type" : "object",
"title" : "Authentication Configuration",
"propertyOrder" : 4,
"properties" : {
"sun-idrepo-ldapv3-config-auth-naming-attr" : {
"title" : "Authentication Naming Attribute",
"propertyOrder" : 5200,
"required" : false,
"type" : "string"
}
}
},
"pluginconfig" : {
"type" : "object",
"title" : "Plug-in Configuration",
"propertyOrder" : 2,
"properties" : {
"sunIdRepoSupportedOperations" : {
"title" : "LDAPv3 Plug-in Supported Types and Operations",
"propertyOrder" : 1900,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sunIdRepoClass" : {
"title" : "LDAPv3 Repository Plug-in Class Name",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"sunIdRepoAttributeMapping" : {
"title" : "Attribute Name Mapping",
"propertyOrder" : 1800,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"groupconfig" : {
"type" : "object",
"title" : "Group Configuration",
"propertyOrder" : 5,
"properties" : {
"sun-idrepo-ldapv3-config-groups-search-attribute" : {
"title" : "LDAP Groups Search Attribute",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-dftgroupmember" : {
"title" : "Default Group Member's User DN",
"description" : "User automatically added when group is created.",
"propertyOrder" : 3800,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-value" : {
"title" : "LDAP Groups Container Value",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-memberof" : {
"title" : "Attribute Name for Group Membership",
"propertyOrder" : 3500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-container-name" : {
"title" : "LDAP Groups Container Naming Attribute",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-objectclass" : {
"title" : "LDAP Groups Object Class",
"propertyOrder" : 3300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"sun-idrepo-ldapv3-config-groups-search-filter" : {
"title" : "LDAP Groups Search Filter",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-uniquemember" : {
"title" : "Attribute Name of Unique Member",
"propertyOrder" : 3600,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-group-attributes" : {
"title" : "LDAP Groups Attributes",
"propertyOrder" : 3400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"persistentsearch" : {
"type" : "object",
"title" : "Persistent Search Controls",
"propertyOrder" : 7,
"properties" : {
"sun-idrepo-ldapv3-config-psearch-scope" : {
"title" : "Persistent Search Scope",
"propertyOrder" : 5700,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearchbase" : {
"title" : "Persistent Search Base DN",
"propertyOrder" : 5500,
"required" : false,
"type" : "string"
},
"sun-idrepo-ldapv3-config-psearch-filter" : {
"title" : "Persistent Search Filter",
"propertyOrder" : 5600,
"required" : false,
"type" : "string"
}
}
},
"cachecontrol" : {
"type" : "object",
"title" : "Cache Control",
"propertyOrder" : 9,
"properties" : {
"sun-idrepo-ldapv3-dncache-size" : {
"title" : "DN Cache Size",
"description" : "In DN items, only used when DN Cache is enabled.",
"propertyOrder" : 6000,
"required" : false,
"type" : "integer"
},
"sun-idrepo-ldapv3-dncache-enabled" : {
"title" : "DN Cache",
"description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
"propertyOrder" : 5900,
"required" : false,
"type" : "boolean"
}
}
},
"errorhandling" : {
"type" : "object",
"title" : "Error Handling Configuration",
"propertyOrder" : 8,
"properties" : {
"com.iplanet.am.ldap.connection.delay.between.retries" : {
"title" : "The Delay Time Between Retries",
"description" : "In milliseconds.",
"propertyOrder" : 5800,
"required" : false,
"type" : "integer"
}
}
}
}
}
/realm-config/services/idm-integration
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"provisioningEncryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.",
"propertyOrder" : 2250,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"provisioningSigningAlgorithm" : {
"title" : "Signing Algorithm",
"description" : "JWT signing algorithm.",
"propertyOrder" : 2260,
"required" : true,
"type" : "string"
},
"provisioningEncryptionMethod" : {
"title" : "Encryption Method",
"description" : "JWT encryption method.",
"propertyOrder" : 2280,
"required" : true,
"type" : "string"
},
"provisioningSigningKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.",
"propertyOrder" : 2240,
"required" : true,
"type" : "string"
},
"idmDeploymentUrl" : {
"title" : "Deployment URL",
"description" : "URL of the IDM deployment.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string",
"exampleValue" : "https://openidm.example.com"
},
"provisioningEncryptionAlgorithm" : {
"title" : "Encryption Algorithm",
"description" : "JWT encryption algorithm.",
"propertyOrder" : 2270,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"provisioningEncryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.",
"propertyOrder" : 2250,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"provisioningSigningAlgorithm" : {
"title" : "Signing Algorithm",
"description" : "JWT signing algorithm.",
"propertyOrder" : 2260,
"required" : true,
"type" : "string"
},
"provisioningEncryptionMethod" : {
"title" : "Encryption Method",
"description" : "JWT encryption method.",
"propertyOrder" : 2280,
"required" : true,
"type" : "string"
},
"provisioningSigningKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.",
"propertyOrder" : 2240,
"required" : true,
"type" : "string"
},
"idmDeploymentUrl" : {
"title" : "Deployment URL",
"description" : "URL of the IDM deployment.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string",
"exampleValue" : "https://openidm.example.com"
},
"provisioningEncryptionAlgorithm" : {
"title" : "Encryption Algorithm",
"description" : "JWT encryption algorithm.",
"propertyOrder" : 2270,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"provisioningEncryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.",
"propertyOrder" : 2250,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"provisioningSigningAlgorithm" : {
"title" : "Signing Algorithm",
"description" : "JWT signing algorithm.",
"propertyOrder" : 2260,
"required" : true,
"type" : "string"
},
"provisioningEncryptionMethod" : {
"title" : "Encryption Method",
"description" : "JWT encryption method.",
"propertyOrder" : 2280,
"required" : true,
"type" : "string"
},
"provisioningSigningKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.",
"propertyOrder" : 2240,
"required" : true,
"type" : "string"
},
"idmDeploymentUrl" : {
"title" : "Deployment URL",
"description" : "URL of the IDM deployment.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string",
"exampleValue" : "https://openidm.example.com"
},
"provisioningEncryptionAlgorithm" : {
"title" : "Encryption Algorithm",
"description" : "JWT encryption algorithm.",
"propertyOrder" : 2270,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"provisioningEncryptionKeyAlias" : {
"title" : "Encryption Key Alias",
"description" : "Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.",
"propertyOrder" : 2250,
"required" : true,
"type" : "string"
},
"enabled" : {
"title" : "Enabled",
"propertyOrder" : 2100,
"required" : true,
"type" : "boolean"
},
"provisioningSigningAlgorithm" : {
"title" : "Signing Algorithm",
"description" : "JWT signing algorithm.",
"propertyOrder" : 2260,
"required" : true,
"type" : "string"
},
"provisioningEncryptionMethod" : {
"title" : "Encryption Method",
"description" : "JWT encryption method.",
"propertyOrder" : 2280,
"required" : true,
"type" : "string"
},
"provisioningSigningKeyAlias" : {
"title" : "Signing Key Alias",
"description" : "Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.",
"propertyOrder" : 2240,
"required" : true,
"type" : "string"
},
"idmDeploymentUrl" : {
"title" : "Deployment URL",
"description" : "URL of the IDM deployment.",
"propertyOrder" : 2200,
"required" : true,
"type" : "string",
"exampleValue" : "https://openidm.example.com"
},
"provisioningEncryptionAlgorithm" : {
"title" : "Encryption Algorithm",
"description" : "JWT encryption algorithm.",
"propertyOrder" : 2270,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/oauth-oidc
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedOAuth2Config" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"authenticationAttributes" : {
"title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
"description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScopes" : {
"title" : "Default Client Scopes",
"description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopeImplementationClass" : {
"title" : "Scope Implementation Class",
"description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
"propertyOrder" : 70,
"required" : true,
"type" : "string"
},
"modifiedTimestampAttribute" : {
"title" : "Modified Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return modified timestamp values.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"tokenSigningECDSAKeyAlias" : {
"title" : "Token Signing ECDSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). Add an entry to specify an alias for a specific elliptic curve algorithm, for example <code>ES256|es256Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 241,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"codeVerifierEnforced" : {
"title" : "Code Verifier Parameter Required",
"description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-spop-12\">draft specification for this feature</a>.",
"propertyOrder" : 270,
"required" : true,
"type" : "boolean"
},
"responseTypeClasses" : {
"title" : "Response Type Plugins",
"description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
"propertyOrder" : 90,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedScopes" : {
"title" : "Supported Scopes",
"description" : "The set of supported scopes, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
"propertyOrder" : 130,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedSubjectTypes" : {
"title" : "Subject Types supported",
"description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
"propertyOrder" : 150,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEncryptionEnabled" : {
"title" : "Enable Stateless Token Encryption",
"description" : "Whether stateless access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
"propertyOrder" : 242,
"required" : true,
"type" : "boolean"
},
"moduleMessageEnabledInPasswordGrant" : {
"title" : "Enable Auth Module Messages for Password Credentials Grant",
"description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
"propertyOrder" : 440,
"required" : true,
"type" : "boolean"
},
"tokenSigningAlgorithm" : {
"title" : "OAuth2 Token Signing Algorithm",
"description" : "Algorithm used to sign stateless OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 220,
"required" : true,
"type" : "string"
},
"tokenCompressionEnabled" : {
"title" : "Stateless Token Compression",
"description" : "Whether stateless access and refresh tokens should be compressed.",
"propertyOrder" : 223,
"required" : true,
"type" : "boolean"
},
"tokenSigningHmacSharedSecret" : {
"title" : "Token Signing HMAC Shared Secret",
"description" : "Base64-encoded key used by HS256, HS384 and HS512.",
"propertyOrder" : 230,
"required" : true,
"type" : "string",
"format" : "password"
},
"hashSalt" : {
"title" : "Subject Identifier Hash Salt",
"description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
"propertyOrder" : 260,
"required" : false,
"type" : "string",
"exampleValue" : "changeme"
},
"customLoginUrlTemplate" : {
"title" : "Custom Login URL Template",
"description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
"propertyOrder" : 60,
"required" : false,
"type" : "string"
},
"tokenEncryptionKeyAlias" : {
"title" : "Token Encryption Secret Key Alias",
"description" : "The secret key used for encryption.<br><br>The secret key will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 243,
"required" : false,
"type" : "string"
},
"displayNameAttribute" : {
"title" : "User Display Name attribute",
"description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
"propertyOrder" : 120,
"required" : true,
"type" : "string"
},
"createdTimestampAttribute" : {
"title" : "Created Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return created timestamp values.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"keypairName" : {
"title" : "Token Signing RSA Public/Private Key Pair",
"description" : "The public/private key pair used by RS256.<br><br>The public/private key pair will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 240,
"required" : true,
"type" : "string"
}
}
},
"coreOAuth2Config" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time an access token is valid for, in seconds.",
"propertyOrder" : 30,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the token will never expire.",
"propertyOrder" : 20,
"required" : true,
"type" : "integer"
},
"usePolicyEngineForScope" : {
"title" : "Use Policy Engine for Scope decisions",
"description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
"propertyOrder" : 55,
"required" : true,
"type" : "boolean"
},
"issueRefreshTokenOnRefreshedToken" : {
"title" : "Issue Refresh Tokens on Refreshing Access Tokens",
"description" : "Whether to issue a refresh token when refreshing an access token.",
"propertyOrder" : 50,
"required" : true,
"type" : "boolean"
},
"statelessTokensEnabled" : {
"title" : "Use Stateless Access & Refresh Tokens",
"description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
"propertyOrder" : 3,
"required" : true,
"type" : "boolean"
},
"issueRefreshToken" : {
"title" : "Issue Refresh Tokens",
"description" : "Whether to issue a refresh token when returning an access token.",
"propertyOrder" : 40,
"required" : true,
"type" : "boolean"
},
"codeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time an authorization code is valid for, in seconds.",
"propertyOrder" : 10,
"required" : true,
"type" : "integer"
}
}
},
"deviceCodeConfig" : {
"type" : "object",
"title" : "Device Flow",
"propertyOrder" : 5,
"properties" : {
"devicePollInterval" : {
"title" : "Device Polling Interval",
"description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"completionUrl" : {
"title" : "Device Completion URL",
"description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 380,
"required" : false,
"type" : "string"
},
"deviceCodeLifetime" : {
"title" : "Device Code Lifetime (seconds)",
"description" : "The lifetime of the device code, in seconds.",
"propertyOrder" : 390,
"required" : true,
"type" : "integer"
},
"verificationUrl" : {
"title" : "Verification URL",
"description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"coreOIDCConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 3,
"properties" : {
"tokenEncryptionSigningKeyAlias" : {
"title" : "Token Encryption RSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the RSA algorithms (RSA1_5/RSA-OAEP/RSA-OAEP-256). Add an entry to specify an alias for a specific RSA algorithm, for example <code>RSA1_5|rsa1_5Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 441,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The amount of time the JWT will be valid for, in seconds.",
"propertyOrder" : 210,
"required" : true,
"type" : "integer"
},
"supportedIDTokenEncryptionMethods" : {
"title" : "ID Token Encryption Methods supported",
"description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 180,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidcClaimsScript" : {
"title" : "OIDC Claims Script",
"description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
"propertyOrder" : 80,
"required" : true,
"type" : "string"
},
"supportedIDTokenSigningAlgorithms" : {
"title" : "ID Token Signing Algorithms supported",
"description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 160,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionAlgorithms" : {
"title" : "ID Token Encryption Algorithms supported",
"description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 170,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedClaims" : {
"title" : "Supported Claims",
"description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
"propertyOrder" : 190,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedOIDCConfig" : {
"type" : "object",
"title" : "Advanced OpenID Connect",
"propertyOrder" : 4,
"properties" : {
"authorisedOpenIdConnectSSOClients" : {
"title" : "Authorized OIDC SSO Clients",
"description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
"propertyOrder" : 446,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jkwsURI" : {
"title" : "Remote JSON Web Key URL",
"description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
"propertyOrder" : 140,
"required" : false,
"type" : "string"
},
"supportedRequestParameterEncryptionAlgorithms" : {
"title" : "Request Parameter Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 443,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenInfoClientAuthenticationEnabled" : {
"title" : "Idtokeninfo Endpoint Requires Client Authentication",
"description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 225,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionEnc" : {
"title" : "Request Parameter Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 444,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amrMappings" : {
"title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
"description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
"propertyOrder" : 330,
"required" : false,
"type" : "object"
},
"loaMapping" : {
"title" : "OpenID Connect acr_values to Auth Chain Mapping",
"description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
"propertyOrder" : 310,
"required" : false,
"type" : "object"
},
"storeOpsTokens" : {
"title" : "Store Ops Tokens",
"description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.",
"propertyOrder" : 410,
"required" : true,
"type" : "boolean"
},
"alwaysAddClaimsToToken" : {
"title" : "Always Return Claims in ID Tokens",
"description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
"propertyOrder" : 360,
"required" : true,
"type" : "boolean"
},
"defaultACR" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requireRequestUriRegistration" : {
"title" : "Require Pre-registered request_uri Values",
"description" : "When enabled, any <code>request_uri</code> values used must be pre-registered using the <code>request_uris</code> registration parameter.",
"propertyOrder" : 445,
"required" : true,
"type" : "boolean"
},
"claimsParameterSupported" : {
"title" : "Enable \"claims_parameter_supported\"",
"description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
"propertyOrder" : 250,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterSigningAlgorithms" : {
"title" : "Request Parameter Signing Algorithms Supported",
"description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 442,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"clientDynamicRegistrationConfig" : {
"type" : "object",
"title" : "Client Dynamic Registration",
"propertyOrder" : 2,
"properties" : {
"dynamicClientRegistrationScope" : {
"title" : "Scope to give access to dynamic client registration",
"description" : "Mandatory scope required when registering a new OAuth2 client.",
"propertyOrder" : 455,
"required" : true,
"type" : "string"
},
"requiredSoftwareStatementAttestedAttributes" : {
"title" : "Required Software Statement Attested Attributes",
"description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
"propertyOrder" : 272,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"generateRegistrationAccessTokens" : {
"title" : "Generate Registration Access Tokens",
"description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
"propertyOrder" : 290,
"required" : true,
"type" : "boolean"
},
"allowDynamicRegistration" : {
"title" : "Allow Open Dynamic Client Registration",
"description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
"propertyOrder" : 280,
"required" : true,
"type" : "boolean"
},
"dynamicClientRegistrationSoftwareStatementRequired" : {
"title" : "Require Software Statement for Dynamic Client Registration",
"description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
"propertyOrder" : 271,
"required" : true,
"type" : "boolean"
}
}
},
"consent" : {
"type" : "object",
"title" : "Consent",
"propertyOrder" : 6,
"properties" : {
"supportedRcsResponseEncryptionAlgorithms" : {
"title" : "Remote Consent Service Response Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 453,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"savedConsentAttribute" : {
"title" : "Saved Consent Attribute Name",
"description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
"propertyOrder" : 110,
"required" : false,
"type" : "string"
},
"enableRemoteConsent" : {
"title" : "Enable Remote Consent",
"propertyOrder" : 447,
"required" : true,
"type" : "boolean"
},
"supportedRcsRequestEncryptionAlgorithms" : {
"title" : "Remote Consent Service Request Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 450,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteConsentServiceId" : {
"title" : "Remote Consent Service ID",
"description" : "The ID of an existing remote consent service agent.",
"propertyOrder" : 448,
"required" : false,
"type" : "string"
},
"supportedRcsResponseSigningAlgorithms" : {
"title" : "Remote Consent Service Response Signing Algorithms Supported",
"description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 452,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestSigningAlgorithms" : {
"title" : "Remote Consent Service Request Signing Algorithms Supported",
"description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 449,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientsCanSkipConsent" : {
"title" : "Allow Clients to Skip Consent",
"description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
"propertyOrder" : 420,
"required" : true,
"type" : "boolean"
},
"supportedRcsResponseEncryptionMethods" : {
"title" : "Remote Consent Service Response Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 454,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestEncryptionMethods" : {
"title" : "Remote Consent Service Request Encryption Methods Supported",
"description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 451,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedOAuth2Config" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"authenticationAttributes" : {
"title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
"description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScopes" : {
"title" : "Default Client Scopes",
"description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopeImplementationClass" : {
"title" : "Scope Implementation Class",
"description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
"propertyOrder" : 70,
"required" : true,
"type" : "string"
},
"modifiedTimestampAttribute" : {
"title" : "Modified Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return modified timestamp values.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"tokenSigningECDSAKeyAlias" : {
"title" : "Token Signing ECDSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). Add an entry to specify an alias for a specific elliptic curve algorithm, for example <code>ES256|es256Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 241,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"codeVerifierEnforced" : {
"title" : "Code Verifier Parameter Required",
"description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-spop-12\">draft specification for this feature</a>.",
"propertyOrder" : 270,
"required" : true,
"type" : "boolean"
},
"responseTypeClasses" : {
"title" : "Response Type Plugins",
"description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
"propertyOrder" : 90,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedScopes" : {
"title" : "Supported Scopes",
"description" : "The set of supported scopes, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
"propertyOrder" : 130,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedSubjectTypes" : {
"title" : "Subject Types supported",
"description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
"propertyOrder" : 150,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEncryptionEnabled" : {
"title" : "Enable Stateless Token Encryption",
"description" : "Whether stateless access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
"propertyOrder" : 242,
"required" : true,
"type" : "boolean"
},
"moduleMessageEnabledInPasswordGrant" : {
"title" : "Enable Auth Module Messages for Password Credentials Grant",
"description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
"propertyOrder" : 440,
"required" : true,
"type" : "boolean"
},
"tokenSigningAlgorithm" : {
"title" : "OAuth2 Token Signing Algorithm",
"description" : "Algorithm used to sign stateless OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 220,
"required" : true,
"type" : "string"
},
"tokenCompressionEnabled" : {
"title" : "Stateless Token Compression",
"description" : "Whether stateless access and refresh tokens should be compressed.",
"propertyOrder" : 223,
"required" : true,
"type" : "boolean"
},
"tokenSigningHmacSharedSecret" : {
"title" : "Token Signing HMAC Shared Secret",
"description" : "Base64-encoded key used by HS256, HS384 and HS512.",
"propertyOrder" : 230,
"required" : true,
"type" : "string",
"format" : "password"
},
"hashSalt" : {
"title" : "Subject Identifier Hash Salt",
"description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
"propertyOrder" : 260,
"required" : false,
"type" : "string",
"exampleValue" : "changeme"
},
"customLoginUrlTemplate" : {
"title" : "Custom Login URL Template",
"description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
"propertyOrder" : 60,
"required" : false,
"type" : "string"
},
"tokenEncryptionKeyAlias" : {
"title" : "Token Encryption Secret Key Alias",
"description" : "The secret key used for encryption.<br><br>The secret key will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 243,
"required" : false,
"type" : "string"
},
"displayNameAttribute" : {
"title" : "User Display Name attribute",
"description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
"propertyOrder" : 120,
"required" : true,
"type" : "string"
},
"createdTimestampAttribute" : {
"title" : "Created Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return created timestamp values.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"keypairName" : {
"title" : "Token Signing RSA Public/Private Key Pair",
"description" : "The public/private key pair used by RS256.<br><br>The public/private key pair will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 240,
"required" : true,
"type" : "string"
}
}
},
"coreOAuth2Config" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time an access token is valid for, in seconds.",
"propertyOrder" : 30,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the token will never expire.",
"propertyOrder" : 20,
"required" : true,
"type" : "integer"
},
"usePolicyEngineForScope" : {
"title" : "Use Policy Engine for Scope decisions",
"description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
"propertyOrder" : 55,
"required" : true,
"type" : "boolean"
},
"issueRefreshTokenOnRefreshedToken" : {
"title" : "Issue Refresh Tokens on Refreshing Access Tokens",
"description" : "Whether to issue a refresh token when refreshing an access token.",
"propertyOrder" : 50,
"required" : true,
"type" : "boolean"
},
"statelessTokensEnabled" : {
"title" : "Use Stateless Access & Refresh Tokens",
"description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
"propertyOrder" : 3,
"required" : true,
"type" : "boolean"
},
"issueRefreshToken" : {
"title" : "Issue Refresh Tokens",
"description" : "Whether to issue a refresh token when returning an access token.",
"propertyOrder" : 40,
"required" : true,
"type" : "boolean"
},
"codeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time an authorization code is valid for, in seconds.",
"propertyOrder" : 10,
"required" : true,
"type" : "integer"
}
}
},
"deviceCodeConfig" : {
"type" : "object",
"title" : "Device Flow",
"propertyOrder" : 5,
"properties" : {
"devicePollInterval" : {
"title" : "Device Polling Interval",
"description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"completionUrl" : {
"title" : "Device Completion URL",
"description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 380,
"required" : false,
"type" : "string"
},
"deviceCodeLifetime" : {
"title" : "Device Code Lifetime (seconds)",
"description" : "The lifetime of the device code, in seconds.",
"propertyOrder" : 390,
"required" : true,
"type" : "integer"
},
"verificationUrl" : {
"title" : "Verification URL",
"description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"coreOIDCConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 3,
"properties" : {
"tokenEncryptionSigningKeyAlias" : {
"title" : "Token Encryption RSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the RSA algorithms (RSA1_5/RSA-OAEP/RSA-OAEP-256). Add an entry to specify an alias for a specific RSA algorithm, for example <code>RSA1_5|rsa1_5Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 441,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The amount of time the JWT will be valid for, in seconds.",
"propertyOrder" : 210,
"required" : true,
"type" : "integer"
},
"supportedIDTokenEncryptionMethods" : {
"title" : "ID Token Encryption Methods supported",
"description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 180,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidcClaimsScript" : {
"title" : "OIDC Claims Script",
"description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
"propertyOrder" : 80,
"required" : true,
"type" : "string"
},
"supportedIDTokenSigningAlgorithms" : {
"title" : "ID Token Signing Algorithms supported",
"description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 160,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionAlgorithms" : {
"title" : "ID Token Encryption Algorithms supported",
"description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 170,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedClaims" : {
"title" : "Supported Claims",
"description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
"propertyOrder" : 190,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedOIDCConfig" : {
"type" : "object",
"title" : "Advanced OpenID Connect",
"propertyOrder" : 4,
"properties" : {
"authorisedOpenIdConnectSSOClients" : {
"title" : "Authorized OIDC SSO Clients",
"description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
"propertyOrder" : 446,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jkwsURI" : {
"title" : "Remote JSON Web Key URL",
"description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
"propertyOrder" : 140,
"required" : false,
"type" : "string"
},
"supportedRequestParameterEncryptionAlgorithms" : {
"title" : "Request Parameter Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 443,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenInfoClientAuthenticationEnabled" : {
"title" : "Idtokeninfo Endpoint Requires Client Authentication",
"description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 225,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionEnc" : {
"title" : "Request Parameter Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 444,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amrMappings" : {
"title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
"description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
"propertyOrder" : 330,
"required" : false,
"type" : "object"
},
"loaMapping" : {
"title" : "OpenID Connect acr_values to Auth Chain Mapping",
"description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
"propertyOrder" : 310,
"required" : false,
"type" : "object"
},
"storeOpsTokens" : {
"title" : "Store Ops Tokens",
"description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.",
"propertyOrder" : 410,
"required" : true,
"type" : "boolean"
},
"alwaysAddClaimsToToken" : {
"title" : "Always Return Claims in ID Tokens",
"description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
"propertyOrder" : 360,
"required" : true,
"type" : "boolean"
},
"defaultACR" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requireRequestUriRegistration" : {
"title" : "Require Pre-registered request_uri Values",
"description" : "When enabled, any <code>request_uri</code> values used must be pre-registered using the <code>request_uris</code> registration parameter.",
"propertyOrder" : 445,
"required" : true,
"type" : "boolean"
},
"claimsParameterSupported" : {
"title" : "Enable \"claims_parameter_supported\"",
"description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
"propertyOrder" : 250,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterSigningAlgorithms" : {
"title" : "Request Parameter Signing Algorithms Supported",
"description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 442,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"clientDynamicRegistrationConfig" : {
"type" : "object",
"title" : "Client Dynamic Registration",
"propertyOrder" : 2,
"properties" : {
"dynamicClientRegistrationScope" : {
"title" : "Scope to give access to dynamic client registration",
"description" : "Mandatory scope required when registering a new OAuth2 client.",
"propertyOrder" : 455,
"required" : true,
"type" : "string"
},
"requiredSoftwareStatementAttestedAttributes" : {
"title" : "Required Software Statement Attested Attributes",
"description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
"propertyOrder" : 272,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"generateRegistrationAccessTokens" : {
"title" : "Generate Registration Access Tokens",
"description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
"propertyOrder" : 290,
"required" : true,
"type" : "boolean"
},
"allowDynamicRegistration" : {
"title" : "Allow Open Dynamic Client Registration",
"description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
"propertyOrder" : 280,
"required" : true,
"type" : "boolean"
},
"dynamicClientRegistrationSoftwareStatementRequired" : {
"title" : "Require Software Statement for Dynamic Client Registration",
"description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
"propertyOrder" : 271,
"required" : true,
"type" : "boolean"
}
}
},
"consent" : {
"type" : "object",
"title" : "Consent",
"propertyOrder" : 6,
"properties" : {
"supportedRcsResponseEncryptionAlgorithms" : {
"title" : "Remote Consent Service Response Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 453,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"savedConsentAttribute" : {
"title" : "Saved Consent Attribute Name",
"description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
"propertyOrder" : 110,
"required" : false,
"type" : "string"
},
"enableRemoteConsent" : {
"title" : "Enable Remote Consent",
"propertyOrder" : 447,
"required" : true,
"type" : "boolean"
},
"supportedRcsRequestEncryptionAlgorithms" : {
"title" : "Remote Consent Service Request Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 450,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteConsentServiceId" : {
"title" : "Remote Consent Service ID",
"description" : "The ID of an existing remote consent service agent.",
"propertyOrder" : 448,
"required" : false,
"type" : "string"
},
"supportedRcsResponseSigningAlgorithms" : {
"title" : "Remote Consent Service Response Signing Algorithms Supported",
"description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 452,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestSigningAlgorithms" : {
"title" : "Remote Consent Service Request Signing Algorithms Supported",
"description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 449,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientsCanSkipConsent" : {
"title" : "Allow Clients to Skip Consent",
"description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
"propertyOrder" : 420,
"required" : true,
"type" : "boolean"
},
"supportedRcsResponseEncryptionMethods" : {
"title" : "Remote Consent Service Response Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 454,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestEncryptionMethods" : {
"title" : "Remote Consent Service Request Encryption Methods Supported",
"description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 451,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedOAuth2Config" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"authenticationAttributes" : {
"title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
"description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScopes" : {
"title" : "Default Client Scopes",
"description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopeImplementationClass" : {
"title" : "Scope Implementation Class",
"description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
"propertyOrder" : 70,
"required" : true,
"type" : "string"
},
"modifiedTimestampAttribute" : {
"title" : "Modified Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return modified timestamp values.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"tokenSigningECDSAKeyAlias" : {
"title" : "Token Signing ECDSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). Add an entry to specify an alias for a specific elliptic curve algorithm, for example <code>ES256|es256Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 241,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"codeVerifierEnforced" : {
"title" : "Code Verifier Parameter Required",
"description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-spop-12\">draft specification for this feature</a>.",
"propertyOrder" : 270,
"required" : true,
"type" : "boolean"
},
"responseTypeClasses" : {
"title" : "Response Type Plugins",
"description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
"propertyOrder" : 90,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedScopes" : {
"title" : "Supported Scopes",
"description" : "The set of supported scopes, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
"propertyOrder" : 130,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedSubjectTypes" : {
"title" : "Subject Types supported",
"description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
"propertyOrder" : 150,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEncryptionEnabled" : {
"title" : "Enable Stateless Token Encryption",
"description" : "Whether stateless access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
"propertyOrder" : 242,
"required" : true,
"type" : "boolean"
},
"moduleMessageEnabledInPasswordGrant" : {
"title" : "Enable Auth Module Messages for Password Credentials Grant",
"description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
"propertyOrder" : 440,
"required" : true,
"type" : "boolean"
},
"tokenSigningAlgorithm" : {
"title" : "OAuth2 Token Signing Algorithm",
"description" : "Algorithm used to sign stateless OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 220,
"required" : true,
"type" : "string"
},
"tokenCompressionEnabled" : {
"title" : "Stateless Token Compression",
"description" : "Whether stateless access and refresh tokens should be compressed.",
"propertyOrder" : 223,
"required" : true,
"type" : "boolean"
},
"tokenSigningHmacSharedSecret" : {
"title" : "Token Signing HMAC Shared Secret",
"description" : "Base64-encoded key used by HS256, HS384 and HS512.",
"propertyOrder" : 230,
"required" : true,
"type" : "string",
"format" : "password"
},
"hashSalt" : {
"title" : "Subject Identifier Hash Salt",
"description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
"propertyOrder" : 260,
"required" : false,
"type" : "string",
"exampleValue" : "changeme"
},
"customLoginUrlTemplate" : {
"title" : "Custom Login URL Template",
"description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
"propertyOrder" : 60,
"required" : false,
"type" : "string"
},
"tokenEncryptionKeyAlias" : {
"title" : "Token Encryption Secret Key Alias",
"description" : "The secret key used for encryption.<br><br>The secret key will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 243,
"required" : false,
"type" : "string"
},
"displayNameAttribute" : {
"title" : "User Display Name attribute",
"description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
"propertyOrder" : 120,
"required" : true,
"type" : "string"
},
"createdTimestampAttribute" : {
"title" : "Created Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return created timestamp values.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"keypairName" : {
"title" : "Token Signing RSA Public/Private Key Pair",
"description" : "The public/private key pair used by RS256.<br><br>The public/private key pair will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 240,
"required" : true,
"type" : "string"
}
}
},
"coreOAuth2Config" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time an access token is valid for, in seconds.",
"propertyOrder" : 30,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the token will never expire.",
"propertyOrder" : 20,
"required" : true,
"type" : "integer"
},
"usePolicyEngineForScope" : {
"title" : "Use Policy Engine for Scope decisions",
"description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
"propertyOrder" : 55,
"required" : true,
"type" : "boolean"
},
"issueRefreshTokenOnRefreshedToken" : {
"title" : "Issue Refresh Tokens on Refreshing Access Tokens",
"description" : "Whether to issue a refresh token when refreshing an access token.",
"propertyOrder" : 50,
"required" : true,
"type" : "boolean"
},
"statelessTokensEnabled" : {
"title" : "Use Stateless Access & Refresh Tokens",
"description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
"propertyOrder" : 3,
"required" : true,
"type" : "boolean"
},
"issueRefreshToken" : {
"title" : "Issue Refresh Tokens",
"description" : "Whether to issue a refresh token when returning an access token.",
"propertyOrder" : 40,
"required" : true,
"type" : "boolean"
},
"codeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time an authorization code is valid for, in seconds.",
"propertyOrder" : 10,
"required" : true,
"type" : "integer"
}
}
},
"deviceCodeConfig" : {
"type" : "object",
"title" : "Device Flow",
"propertyOrder" : 5,
"properties" : {
"devicePollInterval" : {
"title" : "Device Polling Interval",
"description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"completionUrl" : {
"title" : "Device Completion URL",
"description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 380,
"required" : false,
"type" : "string"
},
"deviceCodeLifetime" : {
"title" : "Device Code Lifetime (seconds)",
"description" : "The lifetime of the device code, in seconds.",
"propertyOrder" : 390,
"required" : true,
"type" : "integer"
},
"verificationUrl" : {
"title" : "Verification URL",
"description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"coreOIDCConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 3,
"properties" : {
"tokenEncryptionSigningKeyAlias" : {
"title" : "Token Encryption RSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the RSA algorithms (RSA1_5/RSA-OAEP/RSA-OAEP-256). Add an entry to specify an alias for a specific RSA algorithm, for example <code>RSA1_5|rsa1_5Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 441,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The amount of time the JWT will be valid for, in seconds.",
"propertyOrder" : 210,
"required" : true,
"type" : "integer"
},
"supportedIDTokenEncryptionMethods" : {
"title" : "ID Token Encryption Methods supported",
"description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 180,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidcClaimsScript" : {
"title" : "OIDC Claims Script",
"description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
"propertyOrder" : 80,
"required" : true,
"type" : "string"
},
"supportedIDTokenSigningAlgorithms" : {
"title" : "ID Token Signing Algorithms supported",
"description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 160,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionAlgorithms" : {
"title" : "ID Token Encryption Algorithms supported",
"description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 170,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedClaims" : {
"title" : "Supported Claims",
"description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
"propertyOrder" : 190,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedOIDCConfig" : {
"type" : "object",
"title" : "Advanced OpenID Connect",
"propertyOrder" : 4,
"properties" : {
"authorisedOpenIdConnectSSOClients" : {
"title" : "Authorized OIDC SSO Clients",
"description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
"propertyOrder" : 446,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jkwsURI" : {
"title" : "Remote JSON Web Key URL",
"description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
"propertyOrder" : 140,
"required" : false,
"type" : "string"
},
"supportedRequestParameterEncryptionAlgorithms" : {
"title" : "Request Parameter Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 443,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenInfoClientAuthenticationEnabled" : {
"title" : "Idtokeninfo Endpoint Requires Client Authentication",
"description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 225,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionEnc" : {
"title" : "Request Parameter Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 444,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amrMappings" : {
"title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
"description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
"propertyOrder" : 330,
"required" : false,
"type" : "object"
},
"loaMapping" : {
"title" : "OpenID Connect acr_values to Auth Chain Mapping",
"description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
"propertyOrder" : 310,
"required" : false,
"type" : "object"
},
"storeOpsTokens" : {
"title" : "Store Ops Tokens",
"description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.",
"propertyOrder" : 410,
"required" : true,
"type" : "boolean"
},
"alwaysAddClaimsToToken" : {
"title" : "Always Return Claims in ID Tokens",
"description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
"propertyOrder" : 360,
"required" : true,
"type" : "boolean"
},
"defaultACR" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requireRequestUriRegistration" : {
"title" : "Require Pre-registered request_uri Values",
"description" : "When enabled, any <code>request_uri</code> values used must be pre-registered using the <code>request_uris</code> registration parameter.",
"propertyOrder" : 445,
"required" : true,
"type" : "boolean"
},
"claimsParameterSupported" : {
"title" : "Enable \"claims_parameter_supported\"",
"description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
"propertyOrder" : 250,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterSigningAlgorithms" : {
"title" : "Request Parameter Signing Algorithms Supported",
"description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 442,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"clientDynamicRegistrationConfig" : {
"type" : "object",
"title" : "Client Dynamic Registration",
"propertyOrder" : 2,
"properties" : {
"dynamicClientRegistrationScope" : {
"title" : "Scope to give access to dynamic client registration",
"description" : "Mandatory scope required when registering a new OAuth2 client.",
"propertyOrder" : 455,
"required" : true,
"type" : "string"
},
"requiredSoftwareStatementAttestedAttributes" : {
"title" : "Required Software Statement Attested Attributes",
"description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
"propertyOrder" : 272,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"generateRegistrationAccessTokens" : {
"title" : "Generate Registration Access Tokens",
"description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
"propertyOrder" : 290,
"required" : true,
"type" : "boolean"
},
"allowDynamicRegistration" : {
"title" : "Allow Open Dynamic Client Registration",
"description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
"propertyOrder" : 280,
"required" : true,
"type" : "boolean"
},
"dynamicClientRegistrationSoftwareStatementRequired" : {
"title" : "Require Software Statement for Dynamic Client Registration",
"description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
"propertyOrder" : 271,
"required" : true,
"type" : "boolean"
}
}
},
"consent" : {
"type" : "object",
"title" : "Consent",
"propertyOrder" : 6,
"properties" : {
"supportedRcsResponseEncryptionAlgorithms" : {
"title" : "Remote Consent Service Response Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 453,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"savedConsentAttribute" : {
"title" : "Saved Consent Attribute Name",
"description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
"propertyOrder" : 110,
"required" : false,
"type" : "string"
},
"enableRemoteConsent" : {
"title" : "Enable Remote Consent",
"propertyOrder" : 447,
"required" : true,
"type" : "boolean"
},
"supportedRcsRequestEncryptionAlgorithms" : {
"title" : "Remote Consent Service Request Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 450,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteConsentServiceId" : {
"title" : "Remote Consent Service ID",
"description" : "The ID of an existing remote consent service agent.",
"propertyOrder" : 448,
"required" : false,
"type" : "string"
},
"supportedRcsResponseSigningAlgorithms" : {
"title" : "Remote Consent Service Response Signing Algorithms Supported",
"description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 452,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestSigningAlgorithms" : {
"title" : "Remote Consent Service Request Signing Algorithms Supported",
"description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 449,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientsCanSkipConsent" : {
"title" : "Allow Clients to Skip Consent",
"description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
"propertyOrder" : 420,
"required" : true,
"type" : "boolean"
},
"supportedRcsResponseEncryptionMethods" : {
"title" : "Remote Consent Service Response Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 454,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestEncryptionMethods" : {
"title" : "Remote Consent Service Request Encryption Methods Supported",
"description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 451,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"advancedOAuth2Config" : {
"type" : "object",
"title" : "Advanced",
"propertyOrder" : 1,
"properties" : {
"authenticationAttributes" : {
"title" : "User Profile Attribute(s) the Resource Owner is Authenticated On",
"description" : "Names of profile attributes that resource owners use to log in. You can add others to the default, for example <code>mail</code>.",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"defaultScopes" : {
"title" : "Default Client Scopes",
"description" : "List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"scopeImplementationClass" : {
"title" : "Scope Implementation Class",
"description" : "The class that contains the required scope implementation, must implement the <code>org.forgerock.oauth2.core.ScopeValidator</code> interface.",
"propertyOrder" : 70,
"required" : true,
"type" : "string"
},
"modifiedTimestampAttribute" : {
"title" : "Modified Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return modified timestamp values.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"tokenSigningECDSAKeyAlias" : {
"title" : "Token Signing ECDSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512). Add an entry to specify an alias for a specific elliptic curve algorithm, for example <code>ES256|es256Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 241,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"codeVerifierEnforced" : {
"title" : "Code Verifier Parameter Required",
"description" : "If enabled, requests using the authorization code grant require a <code>code_challenge</code> attribute.<br><br>For more information, read the <a href=\"https://tools.ietf.org/html/draft-ietf-oauth-spop-12\">draft specification for this feature</a>.",
"propertyOrder" : 270,
"required" : true,
"type" : "boolean"
},
"responseTypeClasses" : {
"title" : "Response Type Plugins",
"description" : "List of plugins that handle the valid <code>response_type</code> values.<br><br>OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (<code>/oauth2/authorize</code>) to indicate which grant type is requested from the provider. For example, the client passes <code>code</code> when requesting an authorization code, and <code>token</code> when requesting an access token.<p><p>Values in this list take the form <code>response-type|plugin-class-name</code>.",
"propertyOrder" : 90,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedScopes" : {
"title" : "Supported Scopes",
"description" : "The set of supported scopes, with translations.<br><br><p>Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.</p><p>For example: <code>read|en|Permission to view email messages in your account</code></p><p>Locale strings are in the format: <code>language_country_variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>.</p><p>If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.</p><p>If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying <code>read|</code> would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.</p>",
"propertyOrder" : 130,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedSubjectTypes" : {
"title" : "Subject Types supported",
"description" : "List of subject types supported. Valid values are:<ul><li><code>public</code> - Each client receives the same subject (<code>sub</code>) value.</li><li><code>pairwise</code> - Each client receives a different subject (<code>sub</code>) value, to prevent correlation between clients.</li></ul>",
"propertyOrder" : 150,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"tokenEncryptionEnabled" : {
"title" : "Enable Stateless Token Encryption",
"description" : "Whether stateless access and refresh tokens should be encrypted.<br><br>Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.",
"propertyOrder" : 242,
"required" : true,
"type" : "boolean"
},
"moduleMessageEnabledInPasswordGrant" : {
"title" : "Enable Auth Module Messages for Password Credentials Grant",
"description" : "If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.<br><br>The Password Grant Type requires the <code>grant_type=password</code> parameter.",
"propertyOrder" : 440,
"required" : true,
"type" : "boolean"
},
"tokenSigningAlgorithm" : {
"title" : "OAuth2 Token Signing Algorithm",
"description" : "Algorithm used to sign stateless OAuth 2.0 tokens in order to detect tampering.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 220,
"required" : true,
"type" : "string"
},
"tokenCompressionEnabled" : {
"title" : "Stateless Token Compression",
"description" : "Whether stateless access and refresh tokens should be compressed.",
"propertyOrder" : 223,
"required" : true,
"type" : "boolean"
},
"tokenSigningHmacSharedSecret" : {
"title" : "Token Signing HMAC Shared Secret",
"description" : "Base64-encoded key used by HS256, HS384 and HS512.",
"propertyOrder" : 230,
"required" : true,
"type" : "string",
"format" : "password"
},
"hashSalt" : {
"title" : "Subject Identifier Hash Salt",
"description" : "If <i>pairwise</i> subject types are supported, it is <em>STRONGLY RECOMMENDED</em> to change this value. It is used in the salting of hashes for returning specific <code>sub</code> claims to individuals using the same <code>request_uri</code> or <code>sector_identifier_uri</code>.",
"propertyOrder" : 260,
"required" : false,
"type" : "string",
"exampleValue" : "changeme"
},
"customLoginUrlTemplate" : {
"title" : "Custom Login URL Template",
"description" : "Custom URL for handling login, to override the default OpenAM login page.<br><br>Supports Freemarker syntax, with the following variables:<table><tr><th>Variable</th><th>Description</th></tr><tr><td><code>gotoUrl</code></td><td><p>The URL to redirect to after login.</p></td></tr><tr><td><code>acrValues</code></td><td><p>The Authentication Context Class Reference (acr) values for the authorization request.</p></td></tr><tr><td><code>realm</code></td><td><p>The OpenAM realm the authorization request was made on.</p></td></tr><tr><td><code>module</code></td><td><p>The name of the OpenAM authentication module requested to perform resource owner authentication.</p></td></tr><tr><td><code>service</code></td><td><p>The name of the OpenAM authentication chain requested to perform resource owner authentication.</p></td></tr><tr><td><code>locale</code></td><td><p>A space-separated list of locales, ordered by preference.</p></td></tr></table>The following example template redirects users to a non-OpenAM front end to handle login, which will then redirect back to the <code>/oauth2/authorize</code> endpoint with any required parameters:<p> <code>http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if></code><br><b>NOTE</b>: Default OpenAM login page is constructed using \"Base URL Source\" service.",
"propertyOrder" : 60,
"required" : false,
"type" : "string"
},
"tokenEncryptionKeyAlias" : {
"title" : "Token Encryption Secret Key Alias",
"description" : "The secret key used for encryption.<br><br>The secret key will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 243,
"required" : false,
"type" : "string"
},
"displayNameAttribute" : {
"title" : "User Display Name attribute",
"description" : "The profile attribute that contains the name to be displayed for the user on the consent page.",
"propertyOrder" : 120,
"required" : true,
"type" : "string"
},
"createdTimestampAttribute" : {
"title" : "Created Timestamp Attribute Name",
"description" : "The identity Data Store attribute used to return created timestamp values.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"keypairName" : {
"title" : "Token Signing RSA Public/Private Key Pair",
"description" : "The public/private key pair used by RS256.<br><br>The public/private key pair will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 240,
"required" : true,
"type" : "string"
}
}
},
"coreOAuth2Config" : {
"type" : "object",
"title" : "Core",
"propertyOrder" : 0,
"properties" : {
"accessTokenLifetime" : {
"title" : "Access Token Lifetime (seconds)",
"description" : "The time an access token is valid for, in seconds.",
"propertyOrder" : 30,
"required" : true,
"type" : "integer"
},
"refreshTokenLifetime" : {
"title" : "Refresh Token Lifetime (seconds)",
"description" : "The time in seconds a refresh token is valid for. If this field is set to <code>-1</code>, the token will never expire.",
"propertyOrder" : 20,
"required" : true,
"type" : "integer"
},
"usePolicyEngineForScope" : {
"title" : "Use Policy Engine for Scope decisions",
"description" : "With this setting enabled, the policy engine is consulted for each scope value that is requested.<br><br>If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.",
"propertyOrder" : 55,
"required" : true,
"type" : "boolean"
},
"issueRefreshTokenOnRefreshedToken" : {
"title" : "Issue Refresh Tokens on Refreshing Access Tokens",
"description" : "Whether to issue a refresh token when refreshing an access token.",
"propertyOrder" : 50,
"required" : true,
"type" : "boolean"
},
"statelessTokensEnabled" : {
"title" : "Use Stateless Access & Refresh Tokens",
"description" : "When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.",
"propertyOrder" : 3,
"required" : true,
"type" : "boolean"
},
"issueRefreshToken" : {
"title" : "Issue Refresh Tokens",
"description" : "Whether to issue a refresh token when returning an access token.",
"propertyOrder" : 40,
"required" : true,
"type" : "boolean"
},
"codeLifetime" : {
"title" : "Authorization Code Lifetime (seconds)",
"description" : "The time an authorization code is valid for, in seconds.",
"propertyOrder" : 10,
"required" : true,
"type" : "integer"
}
}
},
"deviceCodeConfig" : {
"type" : "object",
"title" : "Device Flow",
"propertyOrder" : 5,
"properties" : {
"devicePollInterval" : {
"title" : "Device Polling Interval",
"description" : "The polling frequency for devices waiting for tokens when using the device code flow.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer"
},
"completionUrl" : {
"title" : "Device Completion URL",
"description" : "The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 380,
"required" : false,
"type" : "string"
},
"deviceCodeLifetime" : {
"title" : "Device Code Lifetime (seconds)",
"description" : "The lifetime of the device code, in seconds.",
"propertyOrder" : 390,
"required" : true,
"type" : "integer"
},
"verificationUrl" : {
"title" : "Verification URL",
"description" : "The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"coreOIDCConfig" : {
"type" : "object",
"title" : "OpenID Connect",
"propertyOrder" : 3,
"properties" : {
"tokenEncryptionSigningKeyAlias" : {
"title" : "Token Encryption RSA Public/Private Key Pair Alias",
"description" : "The list of public/private key pairs used for the RSA algorithms (RSA1_5/RSA-OAEP/RSA-OAEP-256). Add an entry to specify an alias for a specific RSA algorithm, for example <code>RSA1_5|rsa1_5Alias</code>.<br><br>Each of the public/private key pairs will be retrieved from the keystore referenced by the property <code>com.sun.identity.saml.xmlsig.keystore</code>.",
"propertyOrder" : 441,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jwtTokenLifetime" : {
"title" : "OpenID Connect JWT Token Lifetime (seconds)",
"description" : "The amount of time the JWT will be valid for, in seconds.",
"propertyOrder" : 210,
"required" : true,
"type" : "integer"
},
"supportedIDTokenEncryptionMethods" : {
"title" : "ID Token Encryption Methods supported",
"description" : "Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 180,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidcClaimsScript" : {
"title" : "OIDC Claims Script",
"description" : "The script that is run when issuing an ID token or making a request to the <i>userinfo</i> endpoint during OpenID requests.<p><p>The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.",
"propertyOrder" : 80,
"required" : true,
"type" : "string"
},
"supportedIDTokenSigningAlgorithms" : {
"title" : "ID Token Signing Algorithms supported",
"description" : "Algorithms supported to sign OpenID Connect <code>id_tokens</code>.<p><p>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 160,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedIDTokenEncryptionAlgorithms" : {
"title" : "ID Token Encryption Algorithms supported",
"description" : "Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 170,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedClaims" : {
"title" : "Supported Claims",
"description" : "Set of claims supported by the OpenID Connect <code>/oauth2/userinfo</code> endpoint, with translations.<br><br>Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.<p><p>For example: <code>name|en|Your full name.</code>.<p>Locale strings are in the format: <code>language + \"_\" + country + \"_\" + variant</code>, for example <code>en</code>, <code>en_GB</code>, or <code>en_US_WIN</code>. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.<p><p>If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying <code>family_name|</code> would allow the claim <code>family_name</code> to be used by the client, but would not display it to the user on the consent page when requested.",
"propertyOrder" : 190,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"advancedOIDCConfig" : {
"type" : "object",
"title" : "Advanced OpenID Connect",
"propertyOrder" : 4,
"properties" : {
"authorisedOpenIdConnectSSOClients" : {
"title" : "Authorized OIDC SSO Clients",
"description" : "Clients authorized to use OpenID Connect ID tokens as SSO Tokens.<br><br>Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.",
"propertyOrder" : 446,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"jkwsURI" : {
"title" : "Remote JSON Web Key URL",
"description" : "The Remote URL where the providers JSON Web Key can be retrieved.<p><p>If this setting is not configured, then OpenAM provides a local URL to access the public key of the private key used to sign ID tokens.",
"propertyOrder" : 140,
"required" : false,
"type" : "string"
},
"supportedRequestParameterEncryptionAlgorithms" : {
"title" : "Request Parameter Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Request parameter.<br><br>OpenAM supports the following ID token encryption algorithms:<ul><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li></ul>",
"propertyOrder" : 443,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"idTokenInfoClientAuthenticationEnabled" : {
"title" : "Idtokeninfo Endpoint Requires Client Authentication",
"description" : "When enabled, the <code>/oauth2/idtokeninfo</code> endpoint requires client authentication if the signing algorithm is set to <code>HS256</code>, <code>HS384</code>, or <code>HS512</code>.",
"propertyOrder" : 225,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterEncryptionEnc" : {
"title" : "Request Parameter Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Request parameter.<br><br>OpenAM supports the following Request parameter encryption algorithms:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 444,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"amrMappings" : {
"title" : "OpenID Connect id_token amr Values to Auth Module Mappings",
"description" : "Specify <code>amr</code> values to be returned in the OpenID Connect <code>id_token</code>. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the <code>amr</code> values. If you do not require <code>amr</code> values, or are not providing OpenID Connect tokens, leave this field blank.",
"propertyOrder" : 330,
"required" : false,
"type" : "object"
},
"loaMapping" : {
"title" : "OpenID Connect acr_values to Auth Chain Mapping",
"description" : "Maps OpenID Connect ACR values to authentication chains. For more details, see the <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\" target=\"_blank\">acr_values parameter</a> in the OpenID Connect authentication request specification.",
"propertyOrder" : 310,
"required" : false,
"type" : "object"
},
"storeOpsTokens" : {
"title" : "Store Ops Tokens",
"description" : "Whether OpenAM will store the <i>ops</i> tokens corresponding to OpenID Connect sessions in the CTS store. Note that session management related endpoints will not work when this setting is disabled.",
"propertyOrder" : 410,
"required" : true,
"type" : "boolean"
},
"alwaysAddClaimsToToken" : {
"title" : "Always Return Claims in ID Tokens",
"description" : "If enabled, include scope-derived claims in the <code>id_token</code>, even if an access token is also returned that could provide access to get the claims from the <code>userinfo</code> endpoint.<br><br>If not enabled, if an access token is requested the client must use it to access the <code>userinfo</code> endpoint for scope-derived claims, as they will not be included in the ID token.",
"propertyOrder" : 360,
"required" : true,
"type" : "boolean"
},
"defaultACR" : {
"title" : "Default ACR values",
"description" : "Default requested Authentication Context Class Reference values.<br><br>List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"requireRequestUriRegistration" : {
"title" : "Require Pre-registered request_uri Values",
"description" : "When enabled, any <code>request_uri</code> values used must be pre-registered using the <code>request_uris</code> registration parameter.",
"propertyOrder" : 445,
"required" : true,
"type" : "boolean"
},
"claimsParameterSupported" : {
"title" : "Enable \"claims_parameter_supported\"",
"description" : "If enabled, clients will be able to request individual claims using the <code>claims</code> request parameter, as per <a href=\"http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter\" target=\"_blank\">section 5.5 of the OpenID Connect specification</a>.",
"propertyOrder" : 250,
"required" : true,
"type" : "boolean"
},
"supportedRequestParameterSigningAlgorithms" : {
"title" : "Request Parameter Signing Algorithms Supported",
"description" : "Algorithms supported to verify signature of Request parameterOpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 442,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"clientDynamicRegistrationConfig" : {
"type" : "object",
"title" : "Client Dynamic Registration",
"propertyOrder" : 2,
"properties" : {
"dynamicClientRegistrationScope" : {
"title" : "Scope to give access to dynamic client registration",
"description" : "Mandatory scope required when registering a new OAuth2 client.",
"propertyOrder" : 455,
"required" : true,
"type" : "string"
},
"requiredSoftwareStatementAttestedAttributes" : {
"title" : "Required Software Statement Attested Attributes",
"description" : "The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.<br><br>Leave blank to allow any attributes to be present.",
"propertyOrder" : 272,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"generateRegistrationAccessTokens" : {
"title" : "Generate Registration Access Tokens",
"description" : "Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint\" target=\"_blank\">Client Configuration Endpoint</a> as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.",
"propertyOrder" : 290,
"required" : true,
"type" : "boolean"
},
"allowDynamicRegistration" : {
"title" : "Allow Open Dynamic Client Registration",
"description" : "Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see <a href=\"http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration\" target=\"_blank\">Client Registration</a> in the OpenID Connect specification.",
"propertyOrder" : 280,
"required" : true,
"type" : "boolean"
},
"dynamicClientRegistrationSoftwareStatementRequired" : {
"title" : "Require Software Statement for Dynamic Client Registration",
"description" : "When enabled, a software statement JWT containing at least the <code>iss</code> (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.",
"propertyOrder" : 271,
"required" : true,
"type" : "boolean"
}
}
},
"consent" : {
"type" : "object",
"title" : "Consent",
"propertyOrder" : 6,
"properties" : {
"supportedRcsResponseEncryptionAlgorithms" : {
"title" : "Remote Consent Service Response Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 453,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"savedConsentAttribute" : {
"title" : "Saved Consent Attribute Name",
"description" : "Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions.<p><p>When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.",
"propertyOrder" : 110,
"required" : false,
"type" : "string"
},
"enableRemoteConsent" : {
"title" : "Enable Remote Consent",
"propertyOrder" : 447,
"required" : true,
"type" : "boolean"
},
"supportedRcsRequestEncryptionAlgorithms" : {
"title" : "Remote Consent Service Request Encryption Algorithms Supported",
"description" : "Encryption algorithms supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption algorithms:<ul><li><code>RSA1_5</code> - RSA with PKCS#1 v1.5 padding.</li><li><code>RSA-OAEP</code> - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.</li><li><code>RSA-OAEP-256</code> - RSA with OAEP with SHA-256 and MGF-1.</li><li><code>A128KW</code> - AES Key Wrapping with 128-bit key derived from the client secret.</li><li><code>A192KW</code> - AES Key Wrapping with 192-bit key derived from the client secret.</li><li><code>A256KW</code> - AES Key Wrapping with 256-bit key derived from the client secret.</li><li><code>dir</code> - Direct encryption with AES using the hashed client secret.</li></ul>",
"propertyOrder" : 450,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"remoteConsentServiceId" : {
"title" : "Remote Consent Service ID",
"description" : "The ID of an existing remote consent service agent.",
"propertyOrder" : 448,
"required" : false,
"type" : "string"
},
"supportedRcsResponseSigningAlgorithms" : {
"title" : "Remote Consent Service Response Signing Algorithms Supported",
"description" : "Algorithms supported to verify signed consent_response JWT from Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 452,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestSigningAlgorithms" : {
"title" : "Remote Consent Service Request Signing Algorithms Supported",
"description" : "Algorithms supported to sign consent_request JWTs for Remote Consent Services.<br><br>OpenAM supports signing algorithms listed in JSON Web Algorithms (JWA): <a href=\"http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms#section-3.1\">\"alg\" (Algorithm) Header Parameter Values for JWS</a>:<ul><li><code>HS256</code> - HMAC with SHA-256.</li><li><code>HS384</code> - HMAC with SHA-384.</li><li><code>HS512</code> - HMAC with SHA-512.</li><li><code>ES256</code> - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.</li><li><code>ES384</code> - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.</li><li><code>ES512</code> - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.</li><li><code>RS256</code> - RSASSA-PKCS-v1_5 using SHA-256.</li></ul>",
"propertyOrder" : 449,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"clientsCanSkipConsent" : {
"title" : "Allow Clients to Skip Consent",
"description" : "If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.",
"propertyOrder" : 420,
"required" : true,
"type" : "boolean"
},
"supportedRcsResponseEncryptionMethods" : {
"title" : "Remote Consent Service Response Encryption Methods Supported",
"description" : "Encryption methods supported to decrypt Remote Consent Service responses.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 454,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"supportedRcsRequestEncryptionMethods" : {
"title" : "Remote Consent Service Request Encryption Methods Supported",
"description" : "Encryption methods supported to encrypt Remote Consent Service requests.<br><br>OpenAM supports the following encryption methods:<ul><li><code>A128GCM</code>, <code>A192GCM</code>, and <code>A256GCM</code> - AES in Galois Counter Mode (GCM) authenticated encryption mode.</li><li><code>A128CBC-HS256</code>, <code>A192CBC-HS384</code>, and <code>A256CBC-HS512</code> - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.</li></ul>",
"propertyOrder" : 451,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/policyconfiguration
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"bindDn" : {
"title" : "LDAP Bind DN",
"description" : "Bind DN to connect to the directory server for policy information.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"bindPassword" : {
"title" : "LDAP Bind Password",
"description" : "Bind password to connect to the directory server for policy information.",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapServer" : {
"title" : "Primary LDAP Server",
"description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usersSearchAttribute" : {
"title" : "LDAP Users Search Attribute",
"description" : "Naming attribute for user entries.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"usersSearchScope" : {
"title" : "LDAP Users Search Scope",
"description" : "Search scope to find user entries.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"searchTimeout" : {
"title" : "Search Timeout",
"description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"policyHeartbeatTimeUnit" : {
"title" : "Heartbeat Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1850,
"required" : true,
"type" : "string"
},
"connectionPoolMinimumSize" : {
"title" : "LDAP Connection Pool Minimum Size",
"description" : "Minimum number of connections in the pool.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"usersBaseDn" : {
"title" : "LDAP Users Base DN",
"description" : "Base DN for LDAP Users subject searches.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"userAliasEnabled" : {
"title" : "User Alias",
"description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"maximumSearchResults" : {
"title" : "Maximum Results Returned from Search",
"description" : "Search limit for LDAP searches.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"policyHeartbeatInterval" : {
"title" : "Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1840,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "LDAP SSL/TLS",
"description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"realmSearchFilter" : {
"title" : "LDAP Organization Search Filter",
"description" : "Search filter to match organization entries.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"subjectsResultTTL" : {
"title" : "Subjects Result Time to Live",
"description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"connectionPoolMaximumSize" : {
"title" : "LDAP Connection Pool Maximum Size",
"description" : "Maximum number of connections in the pool.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"usersSearchFilter" : {
"title" : "LDAP Users Search Filter",
"description" : "Search filter to match user entries.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"bindDn" : {
"title" : "LDAP Bind DN",
"description" : "Bind DN to connect to the directory server for policy information.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"bindPassword" : {
"title" : "LDAP Bind Password",
"description" : "Bind password to connect to the directory server for policy information.",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapServer" : {
"title" : "Primary LDAP Server",
"description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usersSearchAttribute" : {
"title" : "LDAP Users Search Attribute",
"description" : "Naming attribute for user entries.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"usersSearchScope" : {
"title" : "LDAP Users Search Scope",
"description" : "Search scope to find user entries.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"searchTimeout" : {
"title" : "Search Timeout",
"description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"policyHeartbeatTimeUnit" : {
"title" : "Heartbeat Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1850,
"required" : true,
"type" : "string"
},
"connectionPoolMinimumSize" : {
"title" : "LDAP Connection Pool Minimum Size",
"description" : "Minimum number of connections in the pool.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"usersBaseDn" : {
"title" : "LDAP Users Base DN",
"description" : "Base DN for LDAP Users subject searches.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"userAliasEnabled" : {
"title" : "User Alias",
"description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"maximumSearchResults" : {
"title" : "Maximum Results Returned from Search",
"description" : "Search limit for LDAP searches.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"policyHeartbeatInterval" : {
"title" : "Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1840,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "LDAP SSL/TLS",
"description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"realmSearchFilter" : {
"title" : "LDAP Organization Search Filter",
"description" : "Search filter to match organization entries.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"subjectsResultTTL" : {
"title" : "Subjects Result Time to Live",
"description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"connectionPoolMaximumSize" : {
"title" : "LDAP Connection Pool Maximum Size",
"description" : "Maximum number of connections in the pool.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"usersSearchFilter" : {
"title" : "LDAP Users Search Filter",
"description" : "Search filter to match user entries.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"bindDn" : {
"title" : "LDAP Bind DN",
"description" : "Bind DN to connect to the directory server for policy information.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"bindPassword" : {
"title" : "LDAP Bind Password",
"description" : "Bind password to connect to the directory server for policy information.",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapServer" : {
"title" : "Primary LDAP Server",
"description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usersSearchAttribute" : {
"title" : "LDAP Users Search Attribute",
"description" : "Naming attribute for user entries.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"usersSearchScope" : {
"title" : "LDAP Users Search Scope",
"description" : "Search scope to find user entries.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"searchTimeout" : {
"title" : "Search Timeout",
"description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"policyHeartbeatTimeUnit" : {
"title" : "Heartbeat Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1850,
"required" : true,
"type" : "string"
},
"connectionPoolMinimumSize" : {
"title" : "LDAP Connection Pool Minimum Size",
"description" : "Minimum number of connections in the pool.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"usersBaseDn" : {
"title" : "LDAP Users Base DN",
"description" : "Base DN for LDAP Users subject searches.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"userAliasEnabled" : {
"title" : "User Alias",
"description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"maximumSearchResults" : {
"title" : "Maximum Results Returned from Search",
"description" : "Search limit for LDAP searches.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"policyHeartbeatInterval" : {
"title" : "Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1840,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "LDAP SSL/TLS",
"description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"realmSearchFilter" : {
"title" : "LDAP Organization Search Filter",
"description" : "Search filter to match organization entries.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"subjectsResultTTL" : {
"title" : "Subjects Result Time to Live",
"description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"connectionPoolMaximumSize" : {
"title" : "LDAP Connection Pool Maximum Size",
"description" : "Maximum number of connections in the pool.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"usersSearchFilter" : {
"title" : "LDAP Users Search Filter",
"description" : "Search filter to match user entries.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"bindDn" : {
"title" : "LDAP Bind DN",
"description" : "Bind DN to connect to the directory server for policy information.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"bindPassword" : {
"title" : "LDAP Bind Password",
"description" : "Bind password to connect to the directory server for policy information.",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"format" : "password"
},
"ldapServer" : {
"title" : "Primary LDAP Server",
"description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"usersSearchAttribute" : {
"title" : "LDAP Users Search Attribute",
"description" : "Naming attribute for user entries.",
"propertyOrder" : 1300,
"required" : true,
"type" : "string"
},
"usersSearchScope" : {
"title" : "LDAP Users Search Scope",
"description" : "Search scope to find user entries.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"searchTimeout" : {
"title" : "Search Timeout",
"description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
"propertyOrder" : 1500,
"required" : true,
"type" : "integer"
},
"policyHeartbeatTimeUnit" : {
"title" : "Heartbeat Unit",
"description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1850,
"required" : true,
"type" : "string"
},
"connectionPoolMinimumSize" : {
"title" : "LDAP Connection Pool Minimum Size",
"description" : "Minimum number of connections in the pool.",
"propertyOrder" : 1700,
"required" : true,
"type" : "integer"
},
"usersBaseDn" : {
"title" : "LDAP Users Base DN",
"description" : "Base DN for LDAP Users subject searches.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"userAliasEnabled" : {
"title" : "User Alias",
"description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
"propertyOrder" : 2000,
"required" : true,
"type" : "boolean"
},
"maximumSearchResults" : {
"title" : "Maximum Results Returned from Search",
"description" : "Search limit for LDAP searches.",
"propertyOrder" : 1400,
"required" : true,
"type" : "integer"
},
"policyHeartbeatInterval" : {
"title" : "Heartbeat Interval",
"description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
"propertyOrder" : 1840,
"required" : true,
"type" : "integer"
},
"sslEnabled" : {
"title" : "LDAP SSL/TLS",
"description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
"propertyOrder" : 1600,
"required" : true,
"type" : "boolean"
},
"realmSearchFilter" : {
"title" : "LDAP Organization Search Filter",
"description" : "Search filter to match organization entries.",
"propertyOrder" : 900,
"required" : true,
"type" : "string"
},
"subjectsResultTTL" : {
"title" : "Subjects Result Time to Live",
"description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
"propertyOrder" : 1900,
"required" : true,
"type" : "integer"
},
"connectionPoolMaximumSize" : {
"title" : "LDAP Connection Pool Maximum Size",
"description" : "Maximum number of connections in the pool.",
"propertyOrder" : 1800,
"required" : true,
"type" : "integer"
},
"usersSearchFilter" : {
"title" : "LDAP Users Search Filter",
"description" : "Search filter to match user entries.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/pushNotification
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accessKey" : {
"title" : "SNS Access Key ID",
"description" : "Amazon Simple Notification Service Access Key ID. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "AKIAIOSFODNN7EXAMPLE"
},
"mdConcurrency" : {
"title" : "Response Cache Concurrency",
"description" : "Level of concurrency to use when accessing the message dispatcher cache. Defaults to <code>16</code>, and must be greater than <code>0</code>. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"region" : {
"title" : "SNS Client Region",
"description" : "Region of your registered Amazon Simple Notification Service client. For more information, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/rande.html\">https://docs.aws.amazon.com/general/latest/gr/rande.html</a>.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"mdDuration" : {
"title" : "Response Cache Duration",
"description" : "The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to <code>0</code>.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"googleEndpoint" : {
"title" : "SNS Endpoint for GCM",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/GCM/production"
},
"mdCacheSize" : {
"title" : "Response Cache Size",
"description" : "Maximum size of the message dispatcher cache, in number of records. If set to <code>0</code> the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"delegateFactory" : {
"title" : "Message Transport Delegate Factory",
"description" : "The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement <code>org.forgerock.openam.services.push.PushNotificationDelegate</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"appleEndpoint" : {
"title" : "SNS Endpoint for APNS",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/APNS/production"
},
"secret" : {
"title" : "SNS Access Key Secret",
"description" : "Amazon Simple Notification Service Access Key Secret. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accessKey" : {
"title" : "SNS Access Key ID",
"description" : "Amazon Simple Notification Service Access Key ID. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "AKIAIOSFODNN7EXAMPLE"
},
"mdConcurrency" : {
"title" : "Response Cache Concurrency",
"description" : "Level of concurrency to use when accessing the message dispatcher cache. Defaults to <code>16</code>, and must be greater than <code>0</code>. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"region" : {
"title" : "SNS Client Region",
"description" : "Region of your registered Amazon Simple Notification Service client. For more information, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/rande.html\">https://docs.aws.amazon.com/general/latest/gr/rande.html</a>.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"mdDuration" : {
"title" : "Response Cache Duration",
"description" : "The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to <code>0</code>.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"googleEndpoint" : {
"title" : "SNS Endpoint for GCM",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/GCM/production"
},
"mdCacheSize" : {
"title" : "Response Cache Size",
"description" : "Maximum size of the message dispatcher cache, in number of records. If set to <code>0</code> the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"delegateFactory" : {
"title" : "Message Transport Delegate Factory",
"description" : "The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement <code>org.forgerock.openam.services.push.PushNotificationDelegate</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"appleEndpoint" : {
"title" : "SNS Endpoint for APNS",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/APNS/production"
},
"secret" : {
"title" : "SNS Access Key Secret",
"description" : "Amazon Simple Notification Service Access Key Secret. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accessKey" : {
"title" : "SNS Access Key ID",
"description" : "Amazon Simple Notification Service Access Key ID. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "AKIAIOSFODNN7EXAMPLE"
},
"mdConcurrency" : {
"title" : "Response Cache Concurrency",
"description" : "Level of concurrency to use when accessing the message dispatcher cache. Defaults to <code>16</code>, and must be greater than <code>0</code>. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"region" : {
"title" : "SNS Client Region",
"description" : "Region of your registered Amazon Simple Notification Service client. For more information, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/rande.html\">https://docs.aws.amazon.com/general/latest/gr/rande.html</a>.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"mdDuration" : {
"title" : "Response Cache Duration",
"description" : "The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to <code>0</code>.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"googleEndpoint" : {
"title" : "SNS Endpoint for GCM",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/GCM/production"
},
"mdCacheSize" : {
"title" : "Response Cache Size",
"description" : "Maximum size of the message dispatcher cache, in number of records. If set to <code>0</code> the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"delegateFactory" : {
"title" : "Message Transport Delegate Factory",
"description" : "The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement <code>org.forgerock.openam.services.push.PushNotificationDelegate</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"appleEndpoint" : {
"title" : "SNS Endpoint for APNS",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/APNS/production"
},
"secret" : {
"title" : "SNS Access Key Secret",
"description" : "Amazon Simple Notification Service Access Key Secret. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"accessKey" : {
"title" : "SNS Access Key ID",
"description" : "Amazon Simple Notification Service Access Key ID. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : "AKIAIOSFODNN7EXAMPLE"
},
"mdConcurrency" : {
"title" : "Response Cache Concurrency",
"description" : "Level of concurrency to use when accessing the message dispatcher cache. Defaults to <code>16</code>, and must be greater than <code>0</code>. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"region" : {
"title" : "SNS Client Region",
"description" : "Region of your registered Amazon Simple Notification Service client. For more information, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/rande.html\">https://docs.aws.amazon.com/general/latest/gr/rande.html</a>.",
"propertyOrder" : 500,
"required" : true,
"type" : "string"
},
"mdDuration" : {
"title" : "Response Cache Duration",
"description" : "The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to <code>0</code>.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.",
"propertyOrder" : 700,
"required" : true,
"type" : "integer"
},
"googleEndpoint" : {
"title" : "SNS Endpoint for GCM",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/GCM/production"
},
"mdCacheSize" : {
"title" : "Response Cache Size",
"description" : "Maximum size of the message dispatcher cache, in number of records. If set to <code>0</code> the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.",
"propertyOrder" : 900,
"required" : true,
"type" : "integer"
},
"delegateFactory" : {
"title" : "Message Transport Delegate Factory",
"description" : "The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement <code>org.forgerock.openam.services.push.PushNotificationDelegate</code>.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"appleEndpoint" : {
"title" : "SNS Endpoint for APNS",
"description" : "The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : "arn:aws:sns:us-east-1:1234567890:app/APNS/production"
},
"secret" : {
"title" : "SNS Access Key Secret",
"description" : "Amazon Simple Notification Service Access Key Secret. For more information, see <a href=\"https://aws.amazon.com/developers/access-keys/\">https://aws.amazon.com/developers/access-keys/</a>.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/saml2
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metadataSigningKeyPass" : {
"title" : "Metadata signing key password",
"description" : "Specify the password used to retrieve the signing key from the keystore.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"format" : "password"
},
"metadataSigningKey" : {
"title" : "Metadata signing key alias",
"description" : "Specify the private key alias to be used to sign the given entity's metadata when requesting signed metadata, either by using exportmetadata.jsp or the <code>ssoadm</code> command.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metadataSigningKeyPass" : {
"title" : "Metadata signing key password",
"description" : "Specify the password used to retrieve the signing key from the keystore.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"format" : "password"
},
"metadataSigningKey" : {
"title" : "Metadata signing key alias",
"description" : "Specify the private key alias to be used to sign the given entity's metadata when requesting signed metadata, either by using exportmetadata.jsp or the <code>ssoadm</code> command.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metadataSigningKeyPass" : {
"title" : "Metadata signing key password",
"description" : "Specify the password used to retrieve the signing key from the keystore.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"format" : "password"
},
"metadataSigningKey" : {
"title" : "Metadata signing key alias",
"description" : "Specify the private key alias to be used to sign the given entity's metadata when requesting signed metadata, either by using exportmetadata.jsp or the <code>ssoadm</code> command.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"metadataSigningKeyPass" : {
"title" : "Metadata signing key password",
"description" : "Specify the password used to retrieve the signing key from the keystore.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"format" : "password"
},
"metadataSigningKey" : {
"title" : "Metadata signing key alias",
"description" : "Specify the private key alias to be used to sign the given entity's metadata when requesting signed metadata, either by using exportmetadata.jsp or the <code>ssoadm</code> command.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/scripts
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
/realm-config/services/scripts/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"propertyOrder" : 1000,
"required" : true,
"type" : "string"
}
}
}
/realm-config/services/security
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"selfServiceEnabled" : {
"title" : "Legacy Self-Service REST Endpoint",
"description" : "Specify whether to enable the legacy self-service endpoint.<p>OpenAM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13, and a common REST-based/XUI-based User Self-Service available in OpenAM 13 and later.<p>The Legacy User Self-Service will be deprecated in a future release.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"protectedUserAttributes" : {
"title" : "Protected User Attributes",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgotPasswordTokenLifetime" : {
"title" : "Forgot Password Token Lifetime (seconds)",
"description" : "Maximum life time for the token that allows a user to process a forgotten password using the REST API.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the behavior when self-registration has successfully completed.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"selfRegistrationConfirmationUrl" : {
"title" : "Self-Registration Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"selfRegistrationEnabled" : {
"title" : "Self-Registration for Users",
"description" : "If enabled, new users can sign up using a REST API client.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"forgotPasswordEnabled" : {
"title" : "Forgot Password for Users",
"description" : "If enabled, users can assign themselves a new password using a REST API client.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"selfRegistrationTokenLifetime" : {
"title" : "Self-Registration Token LifeTime (seconds)",
"description" : "Maximum life time for the token allowing User Self-Registration using the REST API.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"forgotPasswordConfirmationUrl" : {
"title" : "Forgot Password Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"selfServiceEnabled" : {
"title" : "Legacy Self-Service REST Endpoint",
"description" : "Specify whether to enable the legacy self-service endpoint.<p>OpenAM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13, and a common REST-based/XUI-based User Self-Service available in OpenAM 13 and later.<p>The Legacy User Self-Service will be deprecated in a future release.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"protectedUserAttributes" : {
"title" : "Protected User Attributes",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgotPasswordTokenLifetime" : {
"title" : "Forgot Password Token Lifetime (seconds)",
"description" : "Maximum life time for the token that allows a user to process a forgotten password using the REST API.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the behavior when self-registration has successfully completed.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"selfRegistrationConfirmationUrl" : {
"title" : "Self-Registration Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"selfRegistrationEnabled" : {
"title" : "Self-Registration for Users",
"description" : "If enabled, new users can sign up using a REST API client.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"forgotPasswordEnabled" : {
"title" : "Forgot Password for Users",
"description" : "If enabled, users can assign themselves a new password using a REST API client.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"selfRegistrationTokenLifetime" : {
"title" : "Self-Registration Token LifeTime (seconds)",
"description" : "Maximum life time for the token allowing User Self-Registration using the REST API.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"forgotPasswordConfirmationUrl" : {
"title" : "Forgot Password Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"selfServiceEnabled" : {
"title" : "Legacy Self-Service REST Endpoint",
"description" : "Specify whether to enable the legacy self-service endpoint.<p>OpenAM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13, and a common REST-based/XUI-based User Self-Service available in OpenAM 13 and later.<p>The Legacy User Self-Service will be deprecated in a future release.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"protectedUserAttributes" : {
"title" : "Protected User Attributes",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgotPasswordTokenLifetime" : {
"title" : "Forgot Password Token Lifetime (seconds)",
"description" : "Maximum life time for the token that allows a user to process a forgotten password using the REST API.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the behavior when self-registration has successfully completed.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"selfRegistrationConfirmationUrl" : {
"title" : "Self-Registration Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"selfRegistrationEnabled" : {
"title" : "Self-Registration for Users",
"description" : "If enabled, new users can sign up using a REST API client.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"forgotPasswordEnabled" : {
"title" : "Forgot Password for Users",
"description" : "If enabled, users can assign themselves a new password using a REST API client.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"selfRegistrationTokenLifetime" : {
"title" : "Self-Registration Token LifeTime (seconds)",
"description" : "Maximum life time for the token allowing User Self-Registration using the REST API.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"forgotPasswordConfirmationUrl" : {
"title" : "Forgot Password Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"selfServiceEnabled" : {
"title" : "Legacy Self-Service REST Endpoint",
"description" : "Specify whether to enable the legacy self-service endpoint.<p>OpenAM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in OpenAM versions prior to OpenAM 13, and a common REST-based/XUI-based User Self-Service available in OpenAM 13 and later.<p>The Legacy User Self-Service will be deprecated in a future release.",
"propertyOrder" : 100,
"required" : true,
"type" : "boolean"
},
"protectedUserAttributes" : {
"title" : "Protected User Attributes",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgotPasswordTokenLifetime" : {
"title" : "Forgot Password Token Lifetime (seconds)",
"description" : "Maximum life time for the token that allows a user to process a forgotten password using the REST API.",
"propertyOrder" : 600,
"required" : true,
"type" : "integer"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the behavior when self-registration has successfully completed.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"selfRegistrationConfirmationUrl" : {
"title" : "Self-Registration Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 400,
"required" : true,
"type" : "string"
},
"selfRegistrationEnabled" : {
"title" : "Self-Registration for Users",
"description" : "If enabled, new users can sign up using a REST API client.",
"propertyOrder" : 200,
"required" : true,
"type" : "boolean"
},
"forgotPasswordEnabled" : {
"title" : "Forgot Password for Users",
"description" : "If enabled, users can assign themselves a new password using a REST API client.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"selfRegistrationTokenLifetime" : {
"title" : "Self-Registration Token LifeTime (seconds)",
"description" : "Maximum life time for the token allowing User Self-Registration using the REST API.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"forgotPasswordConfirmationUrl" : {
"title" : "Forgot Password Confirmation Email URL",
"description" : "This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/selfService
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"minimumAnswersToDefine" : {
"title" : "Minimum Answers to Define",
"description" : "Specifies the minimum number of KBA answers that users must define.",
"propertyOrder" : 60,
"required" : false,
"type" : "integer"
},
"captchaSecretKey" : {
"title" : "Google reCAPTCHA Secret Key",
"description" : "Google reCAPTCHA plugin secret key.",
"propertyOrder" : 30,
"required" : false,
"type" : "string"
},
"captchaSiteKey" : {
"title" : "Google reCAPTCHA Site Key",
"description" : "Google reCAPTCHA plugin site key.",
"propertyOrder" : 20,
"required" : false,
"type" : "string"
},
"minimumAnswersToVerify" : {
"title" : "Minimum Answers to Verify",
"description" : "Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from <code>0</code> to <code>50</code>.",
"propertyOrder" : 70,
"required" : false,
"type" : "integer"
},
"validQueryAttributes" : {
"title" : "Valid Query Attributes",
"description" : "Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.",
"propertyOrder" : 80,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionKeyPairAlias" : {
"title" : "Encryption Key Pair Alias",
"description" : "An encryption key alias in the OpenAM server's JCEKS keystore. Used to encrypt the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 0,
"required" : true,
"type" : "string",
"exampleValue" : "selfserviceenctest"
},
"captchaVerificationUrl" : {
"title" : "Google Re-captcha Verification URL",
"description" : "Google reCAPTCHA plugin verification URL.",
"propertyOrder" : 40,
"required" : false,
"type" : "string"
},
"kbaQuestions" : {
"title" : "Security Questions",
"description" : "Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.<p><p>Format is <code>unique key|locale|question</code>.",
"propertyOrder" : 50,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"signingSecretKeyAlias" : {
"title" : "Signing Secret Key Alias",
"description" : "A signing secret key alias in the OpenAM server's JCEKS keystore. Used to sign the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 10,
"required" : true,
"type" : "string",
"exampleValue" : "selfservicesigntest"
}
}
},
"userRegistration" : {
"type" : "object",
"title" : "User Registration",
"propertyOrder" : 1,
"properties" : {
"userRegistrationValidUserAttributes" : {
"title" : "Valid Creation Attributes",
"description" : "Specifies a whitelist of user attributes that can be set during user creation.",
"propertyOrder" : 160,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the User Self-Registration verification email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 140,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailVerificationFirstEnabled" : {
"title" : "Verify Email before User Detail",
"description" : "If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must set up their security questions during the self-registration process.",
"propertyOrder" : 120,
"required" : false,
"type" : "boolean"
},
"userRegistrationCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"userRegistrationTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime of the token allowing User Self-Registration, in seconds.",
"propertyOrder" : 130,
"required" : false,
"type" : "integer"
},
"userRegistrationEnabled" : {
"title" : "User Registration",
"description" : "If enabled, new users can sign up for an account.",
"propertyOrder" : 90,
"required" : true,
"type" : "boolean"
},
"userRegistrationEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the User Self-Registration verification email body text. Format is: <code>locale|body text</code>.",
"propertyOrder" : 150,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the action to be taken after a user successfully registers a new account. Choose from:<ul><li><code>default</code>. User is sent to a success page without being logged in.</li><li><code>login</code>. User is sent to the login page to authenticate.</li><li><code>autologin</code>. User is automatically logged in and sent to the appropriate page.</li></ul>",
"propertyOrder" : 161,
"required" : true,
"type" : "string"
},
"userRegistrationEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who self-register must perform email address verification.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenUsername" : {
"type" : "object",
"title" : "Forgotten Username",
"propertyOrder" : 3,
"properties" : {
"forgottenUsernameCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.",
"propertyOrder" : 250,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customizes the forgotten username email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameShowUsernameEnabled" : {
"title" : "Show Username",
"description" : "If enabled, users see their forgotten username on the browser page.",
"propertyOrder" : 280,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEnabled" : {
"title" : "Forgotten Username",
"description" : "If enabled, users can retrieve their forgotten username.",
"propertyOrder" : 240,
"required" : true,
"type" : "boolean"
},
"forgottenUsernameEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customizes the forgotten username email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 310,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameEmailUsernameEnabled" : {
"title" : "Email Username",
"description" : "If enabled, users receive their forgotten username by email.",
"propertyOrder" : 270,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameTokenTTL" : {
"title" : "Token LifeTime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten username, in seconds.",
"propertyOrder" : 290,
"required" : false,
"type" : "integer"
},
"forgottenUsernameKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten username process.",
"propertyOrder" : 260,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenPassword" : {
"type" : "object",
"title" : "Forgotten Password",
"propertyOrder" : 2,
"properties" : {
"forgottenPasswordEnabled" : {
"title" : "Forgotten Password",
"description" : "If enabled, users can reset their forgotten password.",
"propertyOrder" : 170,
"required" : true,
"type" : "boolean"
},
"numberOfAttemptsEnforced" : {
"title" : "Enforce password reset lockout",
"description" : "If enabled, users will be prevented from resetting their password after the configured number of failed attempts.",
"propertyOrder" : 201,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten password reset, in seconds.<p><p>Specify a value from <code>0</code> to <code>2147483647</code>.",
"propertyOrder" : 210,
"required" : false,
"type" : "integer"
},
"numberOfAllowedAttempts" : {
"title" : "Lock Out After number of attempts",
"description" : "Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.",
"propertyOrder" : 202,
"required" : false,
"type" : "integer"
},
"forgottenPasswordKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten password process.",
"propertyOrder" : 200,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who reset passwords must perform email address verification.",
"propertyOrder" : 190,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the forgotten password email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 230,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the forgotten password email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 220,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.",
"propertyOrder" : 180,
"required" : false,
"type" : "boolean"
}
}
},
"advancedConfig" : {
"type" : "object",
"title" : "Advanced Configuration",
"propertyOrder" : 5,
"properties" : {
"userRegistrationServiceConfigClass" : {
"title" : "User Registration Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"forgottenPasswordServiceConfigClass" : {
"title" : "Forgotten Password Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 360,
"required" : false,
"type" : "string"
},
"userRegistrationConfirmationUrl" : {
"title" : "User Registration Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives during the self-registration process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 330,
"required" : false,
"type" : "string"
},
"forgottenPasswordConfirmationUrl" : {
"title" : "Forgotten Password Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"forgottenUsernameServiceConfigClass" : {
"title" : "Forgotten Username Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"profileManagement" : {
"type" : "object",
"title" : "Profile Management",
"propertyOrder" : 4,
"properties" : {
"profileProtectedUserAttributes" : {
"title" : "Protected Update Attributes",
"description" : "Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"minimumAnswersToDefine" : {
"title" : "Minimum Answers to Define",
"description" : "Specifies the minimum number of KBA answers that users must define.",
"propertyOrder" : 60,
"required" : false,
"type" : "integer"
},
"captchaSecretKey" : {
"title" : "Google reCAPTCHA Secret Key",
"description" : "Google reCAPTCHA plugin secret key.",
"propertyOrder" : 30,
"required" : false,
"type" : "string"
},
"captchaSiteKey" : {
"title" : "Google reCAPTCHA Site Key",
"description" : "Google reCAPTCHA plugin site key.",
"propertyOrder" : 20,
"required" : false,
"type" : "string"
},
"minimumAnswersToVerify" : {
"title" : "Minimum Answers to Verify",
"description" : "Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from <code>0</code> to <code>50</code>.",
"propertyOrder" : 70,
"required" : false,
"type" : "integer"
},
"validQueryAttributes" : {
"title" : "Valid Query Attributes",
"description" : "Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.",
"propertyOrder" : 80,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionKeyPairAlias" : {
"title" : "Encryption Key Pair Alias",
"description" : "An encryption key alias in the OpenAM server's JCEKS keystore. Used to encrypt the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 0,
"required" : true,
"type" : "string",
"exampleValue" : "selfserviceenctest"
},
"captchaVerificationUrl" : {
"title" : "Google Re-captcha Verification URL",
"description" : "Google reCAPTCHA plugin verification URL.",
"propertyOrder" : 40,
"required" : false,
"type" : "string"
},
"kbaQuestions" : {
"title" : "Security Questions",
"description" : "Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.<p><p>Format is <code>unique key|locale|question</code>.",
"propertyOrder" : 50,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"signingSecretKeyAlias" : {
"title" : "Signing Secret Key Alias",
"description" : "A signing secret key alias in the OpenAM server's JCEKS keystore. Used to sign the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 10,
"required" : true,
"type" : "string",
"exampleValue" : "selfservicesigntest"
}
}
},
"userRegistration" : {
"type" : "object",
"title" : "User Registration",
"propertyOrder" : 1,
"properties" : {
"userRegistrationValidUserAttributes" : {
"title" : "Valid Creation Attributes",
"description" : "Specifies a whitelist of user attributes that can be set during user creation.",
"propertyOrder" : 160,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the User Self-Registration verification email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 140,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailVerificationFirstEnabled" : {
"title" : "Verify Email before User Detail",
"description" : "If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must set up their security questions during the self-registration process.",
"propertyOrder" : 120,
"required" : false,
"type" : "boolean"
},
"userRegistrationCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"userRegistrationTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime of the token allowing User Self-Registration, in seconds.",
"propertyOrder" : 130,
"required" : false,
"type" : "integer"
},
"userRegistrationEnabled" : {
"title" : "User Registration",
"description" : "If enabled, new users can sign up for an account.",
"propertyOrder" : 90,
"required" : true,
"type" : "boolean"
},
"userRegistrationEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the User Self-Registration verification email body text. Format is: <code>locale|body text</code>.",
"propertyOrder" : 150,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the action to be taken after a user successfully registers a new account. Choose from:<ul><li><code>default</code>. User is sent to a success page without being logged in.</li><li><code>login</code>. User is sent to the login page to authenticate.</li><li><code>autologin</code>. User is automatically logged in and sent to the appropriate page.</li></ul>",
"propertyOrder" : 161,
"required" : true,
"type" : "string"
},
"userRegistrationEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who self-register must perform email address verification.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenUsername" : {
"type" : "object",
"title" : "Forgotten Username",
"propertyOrder" : 3,
"properties" : {
"forgottenUsernameCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.",
"propertyOrder" : 250,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customizes the forgotten username email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameShowUsernameEnabled" : {
"title" : "Show Username",
"description" : "If enabled, users see their forgotten username on the browser page.",
"propertyOrder" : 280,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEnabled" : {
"title" : "Forgotten Username",
"description" : "If enabled, users can retrieve their forgotten username.",
"propertyOrder" : 240,
"required" : true,
"type" : "boolean"
},
"forgottenUsernameEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customizes the forgotten username email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 310,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameEmailUsernameEnabled" : {
"title" : "Email Username",
"description" : "If enabled, users receive their forgotten username by email.",
"propertyOrder" : 270,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameTokenTTL" : {
"title" : "Token LifeTime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten username, in seconds.",
"propertyOrder" : 290,
"required" : false,
"type" : "integer"
},
"forgottenUsernameKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten username process.",
"propertyOrder" : 260,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenPassword" : {
"type" : "object",
"title" : "Forgotten Password",
"propertyOrder" : 2,
"properties" : {
"forgottenPasswordEnabled" : {
"title" : "Forgotten Password",
"description" : "If enabled, users can reset their forgotten password.",
"propertyOrder" : 170,
"required" : true,
"type" : "boolean"
},
"numberOfAttemptsEnforced" : {
"title" : "Enforce password reset lockout",
"description" : "If enabled, users will be prevented from resetting their password after the configured number of failed attempts.",
"propertyOrder" : 201,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten password reset, in seconds.<p><p>Specify a value from <code>0</code> to <code>2147483647</code>.",
"propertyOrder" : 210,
"required" : false,
"type" : "integer"
},
"numberOfAllowedAttempts" : {
"title" : "Lock Out After number of attempts",
"description" : "Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.",
"propertyOrder" : 202,
"required" : false,
"type" : "integer"
},
"forgottenPasswordKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten password process.",
"propertyOrder" : 200,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who reset passwords must perform email address verification.",
"propertyOrder" : 190,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the forgotten password email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 230,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the forgotten password email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 220,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.",
"propertyOrder" : 180,
"required" : false,
"type" : "boolean"
}
}
},
"advancedConfig" : {
"type" : "object",
"title" : "Advanced Configuration",
"propertyOrder" : 5,
"properties" : {
"userRegistrationServiceConfigClass" : {
"title" : "User Registration Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"forgottenPasswordServiceConfigClass" : {
"title" : "Forgotten Password Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 360,
"required" : false,
"type" : "string"
},
"userRegistrationConfirmationUrl" : {
"title" : "User Registration Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives during the self-registration process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 330,
"required" : false,
"type" : "string"
},
"forgottenPasswordConfirmationUrl" : {
"title" : "Forgotten Password Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"forgottenUsernameServiceConfigClass" : {
"title" : "Forgotten Username Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"profileManagement" : {
"type" : "object",
"title" : "Profile Management",
"propertyOrder" : 4,
"properties" : {
"profileProtectedUserAttributes" : {
"title" : "Protected Update Attributes",
"description" : "Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"minimumAnswersToDefine" : {
"title" : "Minimum Answers to Define",
"description" : "Specifies the minimum number of KBA answers that users must define.",
"propertyOrder" : 60,
"required" : false,
"type" : "integer"
},
"captchaSecretKey" : {
"title" : "Google reCAPTCHA Secret Key",
"description" : "Google reCAPTCHA plugin secret key.",
"propertyOrder" : 30,
"required" : false,
"type" : "string"
},
"captchaSiteKey" : {
"title" : "Google reCAPTCHA Site Key",
"description" : "Google reCAPTCHA plugin site key.",
"propertyOrder" : 20,
"required" : false,
"type" : "string"
},
"minimumAnswersToVerify" : {
"title" : "Minimum Answers to Verify",
"description" : "Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from <code>0</code> to <code>50</code>.",
"propertyOrder" : 70,
"required" : false,
"type" : "integer"
},
"validQueryAttributes" : {
"title" : "Valid Query Attributes",
"description" : "Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.",
"propertyOrder" : 80,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionKeyPairAlias" : {
"title" : "Encryption Key Pair Alias",
"description" : "An encryption key alias in the OpenAM server's JCEKS keystore. Used to encrypt the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 0,
"required" : true,
"type" : "string",
"exampleValue" : "selfserviceenctest"
},
"captchaVerificationUrl" : {
"title" : "Google Re-captcha Verification URL",
"description" : "Google reCAPTCHA plugin verification URL.",
"propertyOrder" : 40,
"required" : false,
"type" : "string"
},
"kbaQuestions" : {
"title" : "Security Questions",
"description" : "Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.<p><p>Format is <code>unique key|locale|question</code>.",
"propertyOrder" : 50,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"signingSecretKeyAlias" : {
"title" : "Signing Secret Key Alias",
"description" : "A signing secret key alias in the OpenAM server's JCEKS keystore. Used to sign the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 10,
"required" : true,
"type" : "string",
"exampleValue" : "selfservicesigntest"
}
}
},
"userRegistration" : {
"type" : "object",
"title" : "User Registration",
"propertyOrder" : 1,
"properties" : {
"userRegistrationValidUserAttributes" : {
"title" : "Valid Creation Attributes",
"description" : "Specifies a whitelist of user attributes that can be set during user creation.",
"propertyOrder" : 160,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the User Self-Registration verification email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 140,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailVerificationFirstEnabled" : {
"title" : "Verify Email before User Detail",
"description" : "If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must set up their security questions during the self-registration process.",
"propertyOrder" : 120,
"required" : false,
"type" : "boolean"
},
"userRegistrationCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"userRegistrationTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime of the token allowing User Self-Registration, in seconds.",
"propertyOrder" : 130,
"required" : false,
"type" : "integer"
},
"userRegistrationEnabled" : {
"title" : "User Registration",
"description" : "If enabled, new users can sign up for an account.",
"propertyOrder" : 90,
"required" : true,
"type" : "boolean"
},
"userRegistrationEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the User Self-Registration verification email body text. Format is: <code>locale|body text</code>.",
"propertyOrder" : 150,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the action to be taken after a user successfully registers a new account. Choose from:<ul><li><code>default</code>. User is sent to a success page without being logged in.</li><li><code>login</code>. User is sent to the login page to authenticate.</li><li><code>autologin</code>. User is automatically logged in and sent to the appropriate page.</li></ul>",
"propertyOrder" : 161,
"required" : true,
"type" : "string"
},
"userRegistrationEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who self-register must perform email address verification.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenUsername" : {
"type" : "object",
"title" : "Forgotten Username",
"propertyOrder" : 3,
"properties" : {
"forgottenUsernameCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.",
"propertyOrder" : 250,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customizes the forgotten username email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameShowUsernameEnabled" : {
"title" : "Show Username",
"description" : "If enabled, users see their forgotten username on the browser page.",
"propertyOrder" : 280,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEnabled" : {
"title" : "Forgotten Username",
"description" : "If enabled, users can retrieve their forgotten username.",
"propertyOrder" : 240,
"required" : true,
"type" : "boolean"
},
"forgottenUsernameEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customizes the forgotten username email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 310,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameEmailUsernameEnabled" : {
"title" : "Email Username",
"description" : "If enabled, users receive their forgotten username by email.",
"propertyOrder" : 270,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameTokenTTL" : {
"title" : "Token LifeTime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten username, in seconds.",
"propertyOrder" : 290,
"required" : false,
"type" : "integer"
},
"forgottenUsernameKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten username process.",
"propertyOrder" : 260,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenPassword" : {
"type" : "object",
"title" : "Forgotten Password",
"propertyOrder" : 2,
"properties" : {
"forgottenPasswordEnabled" : {
"title" : "Forgotten Password",
"description" : "If enabled, users can reset their forgotten password.",
"propertyOrder" : 170,
"required" : true,
"type" : "boolean"
},
"numberOfAttemptsEnforced" : {
"title" : "Enforce password reset lockout",
"description" : "If enabled, users will be prevented from resetting their password after the configured number of failed attempts.",
"propertyOrder" : 201,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten password reset, in seconds.<p><p>Specify a value from <code>0</code> to <code>2147483647</code>.",
"propertyOrder" : 210,
"required" : false,
"type" : "integer"
},
"numberOfAllowedAttempts" : {
"title" : "Lock Out After number of attempts",
"description" : "Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.",
"propertyOrder" : 202,
"required" : false,
"type" : "integer"
},
"forgottenPasswordKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten password process.",
"propertyOrder" : 200,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who reset passwords must perform email address verification.",
"propertyOrder" : 190,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the forgotten password email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 230,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the forgotten password email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 220,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.",
"propertyOrder" : 180,
"required" : false,
"type" : "boolean"
}
}
},
"advancedConfig" : {
"type" : "object",
"title" : "Advanced Configuration",
"propertyOrder" : 5,
"properties" : {
"userRegistrationServiceConfigClass" : {
"title" : "User Registration Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"forgottenPasswordServiceConfigClass" : {
"title" : "Forgotten Password Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 360,
"required" : false,
"type" : "string"
},
"userRegistrationConfirmationUrl" : {
"title" : "User Registration Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives during the self-registration process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 330,
"required" : false,
"type" : "string"
},
"forgottenPasswordConfirmationUrl" : {
"title" : "Forgotten Password Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"forgottenUsernameServiceConfigClass" : {
"title" : "Forgotten Username Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"profileManagement" : {
"type" : "object",
"title" : "Profile Management",
"propertyOrder" : 4,
"properties" : {
"profileProtectedUserAttributes" : {
"title" : "Protected Update Attributes",
"description" : "Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"generalConfig" : {
"type" : "object",
"title" : "General Configuration",
"propertyOrder" : 0,
"properties" : {
"minimumAnswersToDefine" : {
"title" : "Minimum Answers to Define",
"description" : "Specifies the minimum number of KBA answers that users must define.",
"propertyOrder" : 60,
"required" : false,
"type" : "integer"
},
"captchaSecretKey" : {
"title" : "Google reCAPTCHA Secret Key",
"description" : "Google reCAPTCHA plugin secret key.",
"propertyOrder" : 30,
"required" : false,
"type" : "string"
},
"captchaSiteKey" : {
"title" : "Google reCAPTCHA Site Key",
"description" : "Google reCAPTCHA plugin site key.",
"propertyOrder" : 20,
"required" : false,
"type" : "string"
},
"minimumAnswersToVerify" : {
"title" : "Minimum Answers to Verify",
"description" : "Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from <code>0</code> to <code>50</code>.",
"propertyOrder" : 70,
"required" : false,
"type" : "integer"
},
"validQueryAttributes" : {
"title" : "Valid Query Attributes",
"description" : "Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.",
"propertyOrder" : 80,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"encryptionKeyPairAlias" : {
"title" : "Encryption Key Pair Alias",
"description" : "An encryption key alias in the OpenAM server's JCEKS keystore. Used to encrypt the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 0,
"required" : true,
"type" : "string",
"exampleValue" : "selfserviceenctest"
},
"captchaVerificationUrl" : {
"title" : "Google Re-captcha Verification URL",
"description" : "Google reCAPTCHA plugin verification URL.",
"propertyOrder" : 40,
"required" : false,
"type" : "string"
},
"kbaQuestions" : {
"title" : "Security Questions",
"description" : "Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.<p><p>Format is <code>unique key|locale|question</code>.",
"propertyOrder" : 50,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"signingSecretKeyAlias" : {
"title" : "Signing Secret Key Alias",
"description" : "A signing secret key alias in the OpenAM server's JCEKS keystore. Used to sign the JWT token that OpenAM uses to track end users during User Self-Service operations.",
"propertyOrder" : 10,
"required" : true,
"type" : "string",
"exampleValue" : "selfservicesigntest"
}
}
},
"userRegistration" : {
"type" : "object",
"title" : "User Registration",
"propertyOrder" : 1,
"properties" : {
"userRegistrationValidUserAttributes" : {
"title" : "Valid Creation Attributes",
"description" : "Specifies a whitelist of user attributes that can be set during user creation.",
"propertyOrder" : 160,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the User Self-Registration verification email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 140,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegistrationEmailVerificationFirstEnabled" : {
"title" : "Verify Email before User Detail",
"description" : "If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
},
"userRegistrationKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must set up their security questions during the self-registration process.",
"propertyOrder" : 120,
"required" : false,
"type" : "boolean"
},
"userRegistrationCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"userRegistrationTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime of the token allowing User Self-Registration, in seconds.",
"propertyOrder" : 130,
"required" : false,
"type" : "integer"
},
"userRegistrationEnabled" : {
"title" : "User Registration",
"description" : "If enabled, new users can sign up for an account.",
"propertyOrder" : 90,
"required" : true,
"type" : "boolean"
},
"userRegistrationEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the User Self-Registration verification email body text. Format is: <code>locale|body text</code>.",
"propertyOrder" : 150,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"userRegisteredDestination" : {
"title" : "Destination After Successful Self-Registration",
"description" : "Specifies the action to be taken after a user successfully registers a new account. Choose from:<ul><li><code>default</code>. User is sent to a success page without being logged in.</li><li><code>login</code>. User is sent to the login page to authenticate.</li><li><code>autologin</code>. User is automatically logged in and sent to the appropriate page.</li></ul>",
"propertyOrder" : 161,
"required" : true,
"type" : "string"
},
"userRegistrationEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who self-register must perform email address verification.",
"propertyOrder" : 110,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenUsername" : {
"type" : "object",
"title" : "Forgotten Username",
"propertyOrder" : 3,
"properties" : {
"forgottenUsernameCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.",
"propertyOrder" : 250,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customizes the forgotten username email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameShowUsernameEnabled" : {
"title" : "Show Username",
"description" : "If enabled, users see their forgotten username on the browser page.",
"propertyOrder" : 280,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameEnabled" : {
"title" : "Forgotten Username",
"description" : "If enabled, users can retrieve their forgotten username.",
"propertyOrder" : 240,
"required" : true,
"type" : "boolean"
},
"forgottenUsernameEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customizes the forgotten username email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 310,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenUsernameEmailUsernameEnabled" : {
"title" : "Email Username",
"description" : "If enabled, users receive their forgotten username by email.",
"propertyOrder" : 270,
"required" : false,
"type" : "boolean"
},
"forgottenUsernameTokenTTL" : {
"title" : "Token LifeTime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten username, in seconds.",
"propertyOrder" : 290,
"required" : false,
"type" : "integer"
},
"forgottenUsernameKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten username process.",
"propertyOrder" : 260,
"required" : false,
"type" : "boolean"
}
}
},
"forgottenPassword" : {
"type" : "object",
"title" : "Forgotten Password",
"propertyOrder" : 2,
"properties" : {
"forgottenPasswordEnabled" : {
"title" : "Forgotten Password",
"description" : "If enabled, users can reset their forgotten password.",
"propertyOrder" : 170,
"required" : true,
"type" : "boolean"
},
"numberOfAttemptsEnforced" : {
"title" : "Enforce password reset lockout",
"description" : "If enabled, users will be prevented from resetting their password after the configured number of failed attempts.",
"propertyOrder" : 201,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordTokenTTL" : {
"title" : "Token Lifetime (seconds)",
"description" : "Maximum lifetime for the token allowing forgotten password reset, in seconds.<p><p>Specify a value from <code>0</code> to <code>2147483647</code>.",
"propertyOrder" : 210,
"required" : false,
"type" : "integer"
},
"numberOfAllowedAttempts" : {
"title" : "Lock Out After number of attempts",
"description" : "Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.",
"propertyOrder" : 202,
"required" : false,
"type" : "integer"
},
"forgottenPasswordKbaEnabled" : {
"title" : "Security Questions",
"description" : "If enabled, users must answer their security questions during the forgotten password process.",
"propertyOrder" : 200,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailVerificationEnabled" : {
"title" : "Email Verification",
"description" : "If enabled, users who reset passwords must perform email address verification.",
"propertyOrder" : 190,
"required" : false,
"type" : "boolean"
},
"forgottenPasswordEmailBody" : {
"title" : "Outgoing Email Body",
"description" : "Customize the forgotten password email body text. Format is <code>locale|body text</code>.",
"propertyOrder" : 230,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordEmailSubject" : {
"title" : "Outgoing Email Subject",
"description" : "Customize the forgotten password email subject text. Format is <code>locale|subject text</code>.",
"propertyOrder" : 220,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"forgottenPasswordCaptchaEnabled" : {
"title" : "Captcha",
"description" : "If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.",
"propertyOrder" : 180,
"required" : false,
"type" : "boolean"
}
}
},
"advancedConfig" : {
"type" : "object",
"title" : "Advanced Configuration",
"propertyOrder" : 5,
"properties" : {
"userRegistrationServiceConfigClass" : {
"title" : "User Registration Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 350,
"required" : false,
"type" : "string"
},
"forgottenPasswordServiceConfigClass" : {
"title" : "Forgotten Password Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 360,
"required" : false,
"type" : "string"
},
"userRegistrationConfirmationUrl" : {
"title" : "User Registration Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives during the self-registration process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 330,
"required" : false,
"type" : "string"
},
"forgottenPasswordConfirmationUrl" : {
"title" : "Forgotten Password Confirmation Email URL",
"description" : "Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The <code>${realm}</code> string is replaced with the current realm.",
"propertyOrder" : 340,
"required" : false,
"type" : "string"
},
"forgottenUsernameServiceConfigClass" : {
"title" : "Forgotten Username Service Config Provider Class",
"description" : "Specifies the provider class to configure any custom plugins.",
"propertyOrder" : 370,
"required" : false,
"type" : "string"
}
}
},
"profileManagement" : {
"type" : "object",
"title" : "Profile Management",
"propertyOrder" : 4,
"properties" : {
"profileProtectedUserAttributes" : {
"title" : "Protected Update Attributes",
"description" : "Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.",
"propertyOrder" : 320,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/session
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"maxIdleTime" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"maxCachingTime" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"quotaLimit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"maxSessionTime" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"maxIdleTime" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"maxCachingTime" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"quotaLimit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"maxSessionTime" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"maxIdleTime" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"maxCachingTime" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"quotaLimit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"maxSessionTime" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"maxIdleTime" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"maxCachingTime" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
},
"quotaLimit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"maxSessionTime" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/socialauthentication
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"icons" : {
"title" : "Icons",
"description" : "Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>/images/google-sign-in.png</td></tr></table>",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"displayNames" : {
"title" : "Display Names",
"description" : "The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>Google</td></tr></table>",
"propertyOrder" : 100,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"enabledKeys" : {
"title" : "Enabled Implementations",
"description" : "Provide a key that has been used to define the settings above to enable that set of settings.<br><br>For example: google",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationChains" : {
"title" : "Authentication Chains",
"description" : "The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>socialAuthChainGoogle</td></tr></table>",
"propertyOrder" : 200,
"required" : true,
"type" : "object"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"icons" : {
"title" : "Icons",
"description" : "Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>/images/google-sign-in.png</td></tr></table>",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"displayNames" : {
"title" : "Display Names",
"description" : "The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>Google</td></tr></table>",
"propertyOrder" : 100,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"enabledKeys" : {
"title" : "Enabled Implementations",
"description" : "Provide a key that has been used to define the settings above to enable that set of settings.<br><br>For example: google",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationChains" : {
"title" : "Authentication Chains",
"description" : "The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>socialAuthChainGoogle</td></tr></table>",
"propertyOrder" : 200,
"required" : true,
"type" : "object"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"icons" : {
"title" : "Icons",
"description" : "Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>/images/google-sign-in.png</td></tr></table>",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"displayNames" : {
"title" : "Display Names",
"description" : "The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>Google</td></tr></table>",
"propertyOrder" : 100,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"enabledKeys" : {
"title" : "Enabled Implementations",
"description" : "Provide a key that has been used to define the settings above to enable that set of settings.<br><br>For example: google",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationChains" : {
"title" : "Authentication Chains",
"description" : "The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>socialAuthChainGoogle</td></tr></table>",
"propertyOrder" : 200,
"required" : true,
"type" : "object"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"icons" : {
"title" : "Icons",
"description" : "Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>/images/google-sign-in.png</td></tr></table>",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"displayNames" : {
"title" : "Display Names",
"description" : "The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>Google</td></tr></table>",
"propertyOrder" : 100,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"enabledKeys" : {
"title" : "Enabled Implementations",
"description" : "Provide a key that has been used to define the settings above to enable that set of settings.<br><br>For example: google",
"propertyOrder" : 400,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"authenticationChains" : {
"title" : "Authentication Chains",
"description" : "The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.<br><br>For example:<table><tr><th>Key</th><th>Value</th></tr><tr><td>google</td><td>socialAuthChainGoogle</td></tr></table>",
"propertyOrder" : 200,
"required" : true,
"type" : "object"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/sts
1.0
Security Token Services configuration
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/sts/rest-sts
1.0
The REST STS endpoint is responsible for storing the configuration of instances of REST Security Token Services (STS). Available operations are create, read, update, delete, query, schema and template.
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"restStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 2,
"properties" : {
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"saml2-encryption-algorithm-strength" : {
"title" : "Encryption Algorithm Strength",
"propertyOrder" : 2850,
"required" : false,
"type" : "integer"
},
"issuer-name" : {
"title" : "The SAML2 Issuer Id",
"description" : "The name of the issuer<br><br>This name will appear in some issued tokens - e.g. in the <code>saml:Issuer</code> of issued SAML2 assertions.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 3000,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 2500,
"required" : false,
"type" : "boolean"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 2400,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2700,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.rest.token.provider.saml.DefaultSaml2JsonTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.rest.token.provider.saml.Saml2JsonTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"description" : "Set to over-ride the default of 600 (10 minutes).",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"description" : "The default value is <code>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</code><br><br>See section 8.3 of <a href=\"http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf\" target=\"_blank\">Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a> for details on possible values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Customs Subject Provider Class Name",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2600,
"required" : false,
"type" : "boolean"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME</code>. If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'. <br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 2300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 3400,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"restStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token",
"propertyOrder" : 3,
"properties" : {
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key.<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"description" : "If the class implementing attribute mapping for attributes contained in issued OpenID Connect tokens needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.oidc.OpenIdConnectTokenClaimMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-issuer" : {
"title" : "The OpenID Connect Token Provider Issuer Id",
"propertyOrder" : 3450,
"required" : true,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 4600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 3900,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 3500,
"required" : false,
"type" : "integer"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-authorized-party" : {
"title" : "Authorized Party",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
}
}
},
"restStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"custom-token-transforms" : {
"title" : "Custom Token Transforms",
"description" : "If either custom token validators or providers are specified, they must also be specified in a custom rest-sts token transformation. These input or output tokens can be specified in a transformation with standard, or other custom, tokens.<br><br>The format of these token transformation definitions is the same as the standard token transformation definitions. The first field defines the input token type, the second the output token type, and the third field specifies whether the OpenAM session, produced as part of the validation of the input token type, is invalidated following the production of the output token. <br><br>Example 1:<code> MY_CUSTOM_INPUT_TOKEN|SAML2|true</code> <br>Example 1 specifies a MY_CUSTOM_INPUT_TOKEN as the input token (requires the specification of a custom token validator) SAML2 as the produced token, and that the interim OpenAM Session should be invalidated after the SAML2 token is produced. <br><br>Example 2: <code>OPENIDCONNECT|MY_CUSTOM_OUTPUT_TOKEN|true</code> <br>Example 2 specifies that an OPENIDCONNECT token should be authenticated to assert the identity of a token of type MY_CUSTOM_OUTPUT_TOKEN (requires the specification of a custom token provider) and that the interim OpenAM Session should be invalidated. <br><br>Example 3: <code>MY_CUSTOM_INPUT_TOKEN|MY_CUSTOM_OUTPUT_TOKEN|false</code> <br>Example 3 specifies that a MY_CUSTOM_INPUT_TOKEN should be transformed into a MY_CUSTOM_OUTPUT_TOKEN (requires the specification of both a custom provider and a custom validator), and that the interim OpenAM session should not be invalidated.",
"propertyOrder" : 500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-providers" : {
"title" : "Custom Token Providers",
"description" : "If a rest-sts instance is to produce a custom token, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.provider.RestTokenProvider</code> implementation which will be invoked to produce an instance of the custom token.<br><br>Example: <code>MY_CUSTOM_OUTPUT_TOKEN|org.mycompany.tokens.MyCustomTokenProvider</code> <br>Note that MY_CUSTOM_OUTPUT_TOKEN would then be specified as the value corresponding to the token_type key in the output_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-validators" : {
"title" : "Custom Token Validators",
"description" : "If validator of a custom token type is desired, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator</code> implementation which will be invoked to validate the custom tokens.<br><br>Example: <code>MY_CUSTOM_INPUT_TOKEN|org.mycompany.tokens.MyCustomTokenValidator</code> <br>Note that MY_CUSTOM_INPUT_TOKEN would then be specified as the value corresponding to the token_type key in the input_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"supported-token-transforms" : {
"title" : "Supported Token Transformations",
"description" : "Entry format:<code>input_token_type;output_token_type;{true|false}</code>, where true|false indicates whether the interim OpenAM session is invalidated following token issuance.<br><br>Example: for the transform <code>USERNAME:SAML2</code>, it is likely that the OpenAM session generated as part of validating the USERNAME token should be invalidated, and thus the config entry would be <code>USERNAME;SAML2;true</code>. If this value is false, each USERNAME->SAML2 transformation will result in a 'left-over' OpenAM session. Note that currently, any transformation which starts with an OPENAM session, e.g. <code>OPENAM;SAML2</code>, will not invalidate this OPENAM session, as it was not created as part of the token transformation.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"restStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN. For each validated token type (other than OpenAM), the REST authN elements which will validate token instances. <br>Entry format: <code>TokenType;authIndexType;authIndexValue;context_key=context_value,context_key1=context_value1</code>. <br>The <code>context_key=context_value</code> entries are optional.<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <br>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-offloaded-two-way-tls-header-key" : {
"title" : "Client Certificate Header Key",
"description" : "TLS-offload host certificate header key<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. A standard means of obtaining the client certificate presented via two-way TLS is via the javax.servlet.request.X509Certificate attribute in the ServletRequest. However, in TLS-offloaded deployments, the TLS-offloader must communicate the client certificate to its ultimate destination via an Http header. If this rest-sts instance is to support token transformations with X509 Certificate input, and OpenAM will be deployed in a TLS-offloaded context, then this value must be set to the header value which the TLS-offloading engine will use to set client certificates presented via the TLS handshake.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"deployment-tls-offload-engine-hosts" : {
"title" : "Trusted Remote Hosts",
"description" : "IP addresses of TLS-Offload Hosts<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. If OpenAM is deployed in a TLS-offloaded environment, in which the TLS-offloader must communicate the client certificate to the rest-sts via an Http header, this certificate will only be accepted if the ip address(es) of the TLS-offload engines are specified in this list. Specify 'any' if a client certificate can be presented in the specified header by any rest-sts client.",
"propertyOrder" : 1000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/services/sts/rest-sts/{id}
1.0
The REST STS endpoint is responsible for storing the configuration of instances of REST Security Token Services (STS). Available operations are create, read, update, delete, query, schema and template.
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"restStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 2,
"properties" : {
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"saml2-encryption-algorithm-strength" : {
"title" : "Encryption Algorithm Strength",
"propertyOrder" : 2850,
"required" : false,
"type" : "integer"
},
"issuer-name" : {
"title" : "The SAML2 Issuer Id",
"description" : "The name of the issuer<br><br>This name will appear in some issued tokens - e.g. in the <code>saml:Issuer</code> of issued SAML2 assertions.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 3000,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 2500,
"required" : false,
"type" : "boolean"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 2400,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2700,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.rest.token.provider.saml.DefaultSaml2JsonTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.rest.token.provider.saml.Saml2JsonTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"description" : "Set to over-ride the default of 600 (10 minutes).",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"description" : "The default value is <code>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</code><br><br>See section 8.3 of <a href=\"http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf\" target=\"_blank\">Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a> for details on possible values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Customs Subject Provider Class Name",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2600,
"required" : false,
"type" : "boolean"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME</code>. If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'. <br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 2300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 3400,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"restStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token",
"propertyOrder" : 3,
"properties" : {
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key.<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"description" : "If the class implementing attribute mapping for attributes contained in issued OpenID Connect tokens needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.oidc.OpenIdConnectTokenClaimMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-issuer" : {
"title" : "The OpenID Connect Token Provider Issuer Id",
"propertyOrder" : 3450,
"required" : true,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 4600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 3900,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 3500,
"required" : false,
"type" : "integer"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-authorized-party" : {
"title" : "Authorized Party",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
}
}
},
"restStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"custom-token-transforms" : {
"title" : "Custom Token Transforms",
"description" : "If either custom token validators or providers are specified, they must also be specified in a custom rest-sts token transformation. These input or output tokens can be specified in a transformation with standard, or other custom, tokens.<br><br>The format of these token transformation definitions is the same as the standard token transformation definitions. The first field defines the input token type, the second the output token type, and the third field specifies whether the OpenAM session, produced as part of the validation of the input token type, is invalidated following the production of the output token. <br><br>Example 1:<code> MY_CUSTOM_INPUT_TOKEN|SAML2|true</code> <br>Example 1 specifies a MY_CUSTOM_INPUT_TOKEN as the input token (requires the specification of a custom token validator) SAML2 as the produced token, and that the interim OpenAM Session should be invalidated after the SAML2 token is produced. <br><br>Example 2: <code>OPENIDCONNECT|MY_CUSTOM_OUTPUT_TOKEN|true</code> <br>Example 2 specifies that an OPENIDCONNECT token should be authenticated to assert the identity of a token of type MY_CUSTOM_OUTPUT_TOKEN (requires the specification of a custom token provider) and that the interim OpenAM Session should be invalidated. <br><br>Example 3: <code>MY_CUSTOM_INPUT_TOKEN|MY_CUSTOM_OUTPUT_TOKEN|false</code> <br>Example 3 specifies that a MY_CUSTOM_INPUT_TOKEN should be transformed into a MY_CUSTOM_OUTPUT_TOKEN (requires the specification of both a custom provider and a custom validator), and that the interim OpenAM session should not be invalidated.",
"propertyOrder" : 500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-providers" : {
"title" : "Custom Token Providers",
"description" : "If a rest-sts instance is to produce a custom token, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.provider.RestTokenProvider</code> implementation which will be invoked to produce an instance of the custom token.<br><br>Example: <code>MY_CUSTOM_OUTPUT_TOKEN|org.mycompany.tokens.MyCustomTokenProvider</code> <br>Note that MY_CUSTOM_OUTPUT_TOKEN would then be specified as the value corresponding to the token_type key in the output_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-validators" : {
"title" : "Custom Token Validators",
"description" : "If validator of a custom token type is desired, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator</code> implementation which will be invoked to validate the custom tokens.<br><br>Example: <code>MY_CUSTOM_INPUT_TOKEN|org.mycompany.tokens.MyCustomTokenValidator</code> <br>Note that MY_CUSTOM_INPUT_TOKEN would then be specified as the value corresponding to the token_type key in the input_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"supported-token-transforms" : {
"title" : "Supported Token Transformations",
"description" : "Entry format:<code>input_token_type;output_token_type;{true|false}</code>, where true|false indicates whether the interim OpenAM session is invalidated following token issuance.<br><br>Example: for the transform <code>USERNAME:SAML2</code>, it is likely that the OpenAM session generated as part of validating the USERNAME token should be invalidated, and thus the config entry would be <code>USERNAME;SAML2;true</code>. If this value is false, each USERNAME->SAML2 transformation will result in a 'left-over' OpenAM session. Note that currently, any transformation which starts with an OPENAM session, e.g. <code>OPENAM;SAML2</code>, will not invalidate this OPENAM session, as it was not created as part of the token transformation.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"restStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN. For each validated token type (other than OpenAM), the REST authN elements which will validate token instances. <br>Entry format: <code>TokenType;authIndexType;authIndexValue;context_key=context_value,context_key1=context_value1</code>. <br>The <code>context_key=context_value</code> entries are optional.<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <br>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-offloaded-two-way-tls-header-key" : {
"title" : "Client Certificate Header Key",
"description" : "TLS-offload host certificate header key<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. A standard means of obtaining the client certificate presented via two-way TLS is via the javax.servlet.request.X509Certificate attribute in the ServletRequest. However, in TLS-offloaded deployments, the TLS-offloader must communicate the client certificate to its ultimate destination via an Http header. If this rest-sts instance is to support token transformations with X509 Certificate input, and OpenAM will be deployed in a TLS-offloaded context, then this value must be set to the header value which the TLS-offloading engine will use to set client certificates presented via the TLS handshake.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"deployment-tls-offload-engine-hosts" : {
"title" : "Trusted Remote Hosts",
"description" : "IP addresses of TLS-Offload Hosts<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. If OpenAM is deployed in a TLS-offloaded environment, in which the TLS-offloader must communicate the client certificate to the rest-sts via an Http header, this certificate will only be accepted if the ip address(es) of the TLS-offload engines are specified in this list. Specify 'any' if a client certificate can be presented in the specified header by any rest-sts client.",
"propertyOrder" : 1000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"restStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 2,
"properties" : {
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"saml2-encryption-algorithm-strength" : {
"title" : "Encryption Algorithm Strength",
"propertyOrder" : 2850,
"required" : false,
"type" : "integer"
},
"issuer-name" : {
"title" : "The SAML2 Issuer Id",
"description" : "The name of the issuer<br><br>This name will appear in some issued tokens - e.g. in the <code>saml:Issuer</code> of issued SAML2 assertions.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 3000,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 2500,
"required" : false,
"type" : "boolean"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 2400,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2700,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.rest.token.provider.saml.DefaultSaml2JsonTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.rest.token.provider.saml.Saml2JsonTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"description" : "Set to over-ride the default of 600 (10 minutes).",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"description" : "The default value is <code>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</code><br><br>See section 8.3 of <a href=\"http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf\" target=\"_blank\">Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a> for details on possible values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Customs Subject Provider Class Name",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2600,
"required" : false,
"type" : "boolean"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME</code>. If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'. <br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 2300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 3400,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"restStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token",
"propertyOrder" : 3,
"properties" : {
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key.<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"description" : "If the class implementing attribute mapping for attributes contained in issued OpenID Connect tokens needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.oidc.OpenIdConnectTokenClaimMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-issuer" : {
"title" : "The OpenID Connect Token Provider Issuer Id",
"propertyOrder" : 3450,
"required" : true,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 4600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 3900,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 3500,
"required" : false,
"type" : "integer"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-authorized-party" : {
"title" : "Authorized Party",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
}
}
},
"restStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"custom-token-transforms" : {
"title" : "Custom Token Transforms",
"description" : "If either custom token validators or providers are specified, they must also be specified in a custom rest-sts token transformation. These input or output tokens can be specified in a transformation with standard, or other custom, tokens.<br><br>The format of these token transformation definitions is the same as the standard token transformation definitions. The first field defines the input token type, the second the output token type, and the third field specifies whether the OpenAM session, produced as part of the validation of the input token type, is invalidated following the production of the output token. <br><br>Example 1:<code> MY_CUSTOM_INPUT_TOKEN|SAML2|true</code> <br>Example 1 specifies a MY_CUSTOM_INPUT_TOKEN as the input token (requires the specification of a custom token validator) SAML2 as the produced token, and that the interim OpenAM Session should be invalidated after the SAML2 token is produced. <br><br>Example 2: <code>OPENIDCONNECT|MY_CUSTOM_OUTPUT_TOKEN|true</code> <br>Example 2 specifies that an OPENIDCONNECT token should be authenticated to assert the identity of a token of type MY_CUSTOM_OUTPUT_TOKEN (requires the specification of a custom token provider) and that the interim OpenAM Session should be invalidated. <br><br>Example 3: <code>MY_CUSTOM_INPUT_TOKEN|MY_CUSTOM_OUTPUT_TOKEN|false</code> <br>Example 3 specifies that a MY_CUSTOM_INPUT_TOKEN should be transformed into a MY_CUSTOM_OUTPUT_TOKEN (requires the specification of both a custom provider and a custom validator), and that the interim OpenAM session should not be invalidated.",
"propertyOrder" : 500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-providers" : {
"title" : "Custom Token Providers",
"description" : "If a rest-sts instance is to produce a custom token, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.provider.RestTokenProvider</code> implementation which will be invoked to produce an instance of the custom token.<br><br>Example: <code>MY_CUSTOM_OUTPUT_TOKEN|org.mycompany.tokens.MyCustomTokenProvider</code> <br>Note that MY_CUSTOM_OUTPUT_TOKEN would then be specified as the value corresponding to the token_type key in the output_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-validators" : {
"title" : "Custom Token Validators",
"description" : "If validator of a custom token type is desired, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator</code> implementation which will be invoked to validate the custom tokens.<br><br>Example: <code>MY_CUSTOM_INPUT_TOKEN|org.mycompany.tokens.MyCustomTokenValidator</code> <br>Note that MY_CUSTOM_INPUT_TOKEN would then be specified as the value corresponding to the token_type key in the input_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"supported-token-transforms" : {
"title" : "Supported Token Transformations",
"description" : "Entry format:<code>input_token_type;output_token_type;{true|false}</code>, where true|false indicates whether the interim OpenAM session is invalidated following token issuance.<br><br>Example: for the transform <code>USERNAME:SAML2</code>, it is likely that the OpenAM session generated as part of validating the USERNAME token should be invalidated, and thus the config entry would be <code>USERNAME;SAML2;true</code>. If this value is false, each USERNAME->SAML2 transformation will result in a 'left-over' OpenAM session. Note that currently, any transformation which starts with an OPENAM session, e.g. <code>OPENAM;SAML2</code>, will not invalidate this OPENAM session, as it was not created as part of the token transformation.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"restStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN. For each validated token type (other than OpenAM), the REST authN elements which will validate token instances. <br>Entry format: <code>TokenType;authIndexType;authIndexValue;context_key=context_value,context_key1=context_value1</code>. <br>The <code>context_key=context_value</code> entries are optional.<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <br>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-offloaded-two-way-tls-header-key" : {
"title" : "Client Certificate Header Key",
"description" : "TLS-offload host certificate header key<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. A standard means of obtaining the client certificate presented via two-way TLS is via the javax.servlet.request.X509Certificate attribute in the ServletRequest. However, in TLS-offloaded deployments, the TLS-offloader must communicate the client certificate to its ultimate destination via an Http header. If this rest-sts instance is to support token transformations with X509 Certificate input, and OpenAM will be deployed in a TLS-offloaded context, then this value must be set to the header value which the TLS-offloading engine will use to set client certificates presented via the TLS handshake.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"deployment-tls-offload-engine-hosts" : {
"title" : "Trusted Remote Hosts",
"description" : "IP addresses of TLS-Offload Hosts<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. If OpenAM is deployed in a TLS-offloaded environment, in which the TLS-offloader must communicate the client certificate to the rest-sts via an Http header, this certificate will only be accepted if the ip address(es) of the TLS-offload engines are specified in this list. Specify 'any' if a client certificate can be presented in the specified header by any rest-sts client.",
"propertyOrder" : 1000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"restStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 2,
"properties" : {
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"saml2-encryption-algorithm-strength" : {
"title" : "Encryption Algorithm Strength",
"propertyOrder" : 2850,
"required" : false,
"type" : "integer"
},
"issuer-name" : {
"title" : "The SAML2 Issuer Id",
"description" : "The name of the issuer<br><br>This name will appear in some issued tokens - e.g. in the <code>saml:Issuer</code> of issued SAML2 assertions.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 3000,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 2500,
"required" : false,
"type" : "boolean"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 2400,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2700,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.rest.token.provider.saml.DefaultSaml2JsonTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.rest.token.provider.saml.Saml2JsonTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"description" : "Set to over-ride the default of 600 (10 minutes).",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"description" : "The default value is <code>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</code><br><br>See section 8.3 of <a href=\"http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf\" target=\"_blank\">Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a> for details on possible values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Customs Subject Provider Class Name",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2600,
"required" : false,
"type" : "boolean"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME</code>. If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'. <br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 2300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 3400,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"restStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token",
"propertyOrder" : 3,
"properties" : {
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key.<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"description" : "If the class implementing attribute mapping for attributes contained in issued OpenID Connect tokens needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.oidc.OpenIdConnectTokenClaimMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-issuer" : {
"title" : "The OpenID Connect Token Provider Issuer Id",
"propertyOrder" : 3450,
"required" : true,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 4600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 3900,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 3500,
"required" : false,
"type" : "integer"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-authorized-party" : {
"title" : "Authorized Party",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
}
}
},
"restStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"custom-token-transforms" : {
"title" : "Custom Token Transforms",
"description" : "If either custom token validators or providers are specified, they must also be specified in a custom rest-sts token transformation. These input or output tokens can be specified in a transformation with standard, or other custom, tokens.<br><br>The format of these token transformation definitions is the same as the standard token transformation definitions. The first field defines the input token type, the second the output token type, and the third field specifies whether the OpenAM session, produced as part of the validation of the input token type, is invalidated following the production of the output token. <br><br>Example 1:<code> MY_CUSTOM_INPUT_TOKEN|SAML2|true</code> <br>Example 1 specifies a MY_CUSTOM_INPUT_TOKEN as the input token (requires the specification of a custom token validator) SAML2 as the produced token, and that the interim OpenAM Session should be invalidated after the SAML2 token is produced. <br><br>Example 2: <code>OPENIDCONNECT|MY_CUSTOM_OUTPUT_TOKEN|true</code> <br>Example 2 specifies that an OPENIDCONNECT token should be authenticated to assert the identity of a token of type MY_CUSTOM_OUTPUT_TOKEN (requires the specification of a custom token provider) and that the interim OpenAM Session should be invalidated. <br><br>Example 3: <code>MY_CUSTOM_INPUT_TOKEN|MY_CUSTOM_OUTPUT_TOKEN|false</code> <br>Example 3 specifies that a MY_CUSTOM_INPUT_TOKEN should be transformed into a MY_CUSTOM_OUTPUT_TOKEN (requires the specification of both a custom provider and a custom validator), and that the interim OpenAM session should not be invalidated.",
"propertyOrder" : 500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-providers" : {
"title" : "Custom Token Providers",
"description" : "If a rest-sts instance is to produce a custom token, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.provider.RestTokenProvider</code> implementation which will be invoked to produce an instance of the custom token.<br><br>Example: <code>MY_CUSTOM_OUTPUT_TOKEN|org.mycompany.tokens.MyCustomTokenProvider</code> <br>Note that MY_CUSTOM_OUTPUT_TOKEN would then be specified as the value corresponding to the token_type key in the output_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-validators" : {
"title" : "Custom Token Validators",
"description" : "If validator of a custom token type is desired, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator</code> implementation which will be invoked to validate the custom tokens.<br><br>Example: <code>MY_CUSTOM_INPUT_TOKEN|org.mycompany.tokens.MyCustomTokenValidator</code> <br>Note that MY_CUSTOM_INPUT_TOKEN would then be specified as the value corresponding to the token_type key in the input_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"supported-token-transforms" : {
"title" : "Supported Token Transformations",
"description" : "Entry format:<code>input_token_type;output_token_type;{true|false}</code>, where true|false indicates whether the interim OpenAM session is invalidated following token issuance.<br><br>Example: for the transform <code>USERNAME:SAML2</code>, it is likely that the OpenAM session generated as part of validating the USERNAME token should be invalidated, and thus the config entry would be <code>USERNAME;SAML2;true</code>. If this value is false, each USERNAME->SAML2 transformation will result in a 'left-over' OpenAM session. Note that currently, any transformation which starts with an OPENAM session, e.g. <code>OPENAM;SAML2</code>, will not invalidate this OPENAM session, as it was not created as part of the token transformation.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"restStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN. For each validated token type (other than OpenAM), the REST authN elements which will validate token instances. <br>Entry format: <code>TokenType;authIndexType;authIndexValue;context_key=context_value,context_key1=context_value1</code>. <br>The <code>context_key=context_value</code> entries are optional.<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <br>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-offloaded-two-way-tls-header-key" : {
"title" : "Client Certificate Header Key",
"description" : "TLS-offload host certificate header key<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. A standard means of obtaining the client certificate presented via two-way TLS is via the javax.servlet.request.X509Certificate attribute in the ServletRequest. However, in TLS-offloaded deployments, the TLS-offloader must communicate the client certificate to its ultimate destination via an Http header. If this rest-sts instance is to support token transformations with X509 Certificate input, and OpenAM will be deployed in a TLS-offloaded context, then this value must be set to the header value which the TLS-offloading engine will use to set client certificates presented via the TLS handshake.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"deployment-tls-offload-engine-hosts" : {
"title" : "Trusted Remote Hosts",
"description" : "IP addresses of TLS-Offload Hosts<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. If OpenAM is deployed in a TLS-offloaded environment, in which the TLS-offloader must communicate the client certificate to the rest-sts via an Http header, this certificate will only be accepted if the ip address(es) of the TLS-offload engines are specified in this list. Specify 'any' if a client certificate can be presented in the specified header by any rest-sts client.",
"propertyOrder" : 1000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"restStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 2,
"properties" : {
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2100,
"required" : false,
"type" : "string"
},
"saml2-encryption-algorithm-strength" : {
"title" : "Encryption Algorithm Strength",
"propertyOrder" : 2850,
"required" : false,
"type" : "integer"
},
"issuer-name" : {
"title" : "The SAML2 Issuer Id",
"description" : "The name of the issuer<br><br>This name will appear in some issued tokens - e.g. in the <code>saml:Issuer</code> of issued SAML2 assertions.",
"propertyOrder" : 1100,
"required" : true,
"type" : "string"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 3000,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 2500,
"required" : false,
"type" : "boolean"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 2400,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2700,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 1300,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 1200,
"required" : true,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.rest.token.provider.saml.DefaultSaml2JsonTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.rest.token.provider.saml.Saml2JsonTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 2200,
"required" : false,
"type" : "string"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"description" : "Set to over-ride the default of 600 (10 minutes).",
"propertyOrder" : 1500,
"required" : false,
"type" : "integer"
},
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"description" : "The default value is <code>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</code><br><br>See section 8.3 of <a href=\"http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf\" target=\"_blank\">Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a> for details on possible values.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1600,
"required" : false,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Customs Subject Provider Class Name",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1700,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1800,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 2600,
"required" : false,
"type" : "boolean"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME</code>. If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'. <br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 2300,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 1900,
"required" : false,
"type" : "string"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 3400,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
}
}
},
"restStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token",
"propertyOrder" : 3,
"properties" : {
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key.<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 4400,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 4800,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"description" : "If the class implementing attribute mapping for attributes contained in issued OpenID Connect tokens needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.oidc.OpenIdConnectTokenClaimMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-issuer" : {
"title" : "The OpenID Connect Token Provider Issuer Id",
"propertyOrder" : 3450,
"required" : true,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 5100,
"required" : false,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 3800,
"required" : true,
"type" : "string"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"propertyOrder" : 4100,
"required" : true,
"type" : "string"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 4600,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 3900,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 3500,
"required" : false,
"type" : "integer"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 3600,
"required" : true,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 3700,
"required" : false,
"type" : "string"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-authorized-party" : {
"title" : "Authorized Party",
"propertyOrder" : 4700,
"required" : false,
"type" : "string"
}
}
},
"restStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"custom-token-transforms" : {
"title" : "Custom Token Transforms",
"description" : "If either custom token validators or providers are specified, they must also be specified in a custom rest-sts token transformation. These input or output tokens can be specified in a transformation with standard, or other custom, tokens.<br><br>The format of these token transformation definitions is the same as the standard token transformation definitions. The first field defines the input token type, the second the output token type, and the third field specifies whether the OpenAM session, produced as part of the validation of the input token type, is invalidated following the production of the output token. <br><br>Example 1:<code> MY_CUSTOM_INPUT_TOKEN|SAML2|true</code> <br>Example 1 specifies a MY_CUSTOM_INPUT_TOKEN as the input token (requires the specification of a custom token validator) SAML2 as the produced token, and that the interim OpenAM Session should be invalidated after the SAML2 token is produced. <br><br>Example 2: <code>OPENIDCONNECT|MY_CUSTOM_OUTPUT_TOKEN|true</code> <br>Example 2 specifies that an OPENIDCONNECT token should be authenticated to assert the identity of a token of type MY_CUSTOM_OUTPUT_TOKEN (requires the specification of a custom token provider) and that the interim OpenAM Session should be invalidated. <br><br>Example 3: <code>MY_CUSTOM_INPUT_TOKEN|MY_CUSTOM_OUTPUT_TOKEN|false</code> <br>Example 3 specifies that a MY_CUSTOM_INPUT_TOKEN should be transformed into a MY_CUSTOM_OUTPUT_TOKEN (requires the specification of both a custom provider and a custom validator), and that the interim OpenAM session should not be invalidated.",
"propertyOrder" : 500,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-providers" : {
"title" : "Custom Token Providers",
"description" : "If a rest-sts instance is to produce a custom token, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.provider.RestTokenProvider</code> implementation which will be invoked to produce an instance of the custom token.<br><br>Example: <code>MY_CUSTOM_OUTPUT_TOKEN|org.mycompany.tokens.MyCustomTokenProvider</code> <br>Note that MY_CUSTOM_OUTPUT_TOKEN would then be specified as the value corresponding to the token_type key in the output_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 400,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"custom-token-validators" : {
"title" : "Custom Token Validators",
"description" : "If validator of a custom token type is desired, specify the name of the custom token here, followed by '|', followed by the class name of the <code>org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator</code> implementation which will be invoked to validate the custom tokens.<br><br>Example: <code>MY_CUSTOM_INPUT_TOKEN|org.mycompany.tokens.MyCustomTokenValidator</code> <br>Note that MY_CUSTOM_INPUT_TOKEN would then be specified as the value corresponding to the token_type key in the input_token_state json object specified in rest-sts token transformation invocations.",
"propertyOrder" : 300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
},
"supported-token-transforms" : {
"title" : "Supported Token Transformations",
"description" : "Entry format:<code>input_token_type;output_token_type;{true|false}</code>, where true|false indicates whether the interim OpenAM session is invalidated following token issuance.<br><br>Example: for the transform <code>USERNAME:SAML2</code>, it is likely that the OpenAM session generated as part of validating the USERNAME token should be invalidated, and thus the config entry would be <code>USERNAME;SAML2;true</code>. If this value is false, each USERNAME->SAML2 transformation will result in a 'left-over' OpenAM session. Note that currently, any transformation which starts with an OPENAM session, e.g. <code>OPENAM;SAML2</code>, will not invalidate this OPENAM session, as it was not created as part of the token transformation.",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
},
"restStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN. For each validated token type (other than OpenAM), the REST authN elements which will validate token instances. <br>Entry format: <code>TokenType;authIndexType;authIndexValue;context_key=context_value,context_key1=context_value1</code>. <br>The <code>context_key=context_value</code> entries are optional.<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <br>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-offloaded-two-way-tls-header-key" : {
"title" : "Client Certificate Header Key",
"description" : "TLS-offload host certificate header key<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. A standard means of obtaining the client certificate presented via two-way TLS is via the javax.servlet.request.X509Certificate attribute in the ServletRequest. However, in TLS-offloaded deployments, the TLS-offloader must communicate the client certificate to its ultimate destination via an Http header. If this rest-sts instance is to support token transformations with X509 Certificate input, and OpenAM will be deployed in a TLS-offloaded context, then this value must be set to the header value which the TLS-offloading engine will use to set client certificates presented via the TLS handshake.",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
},
"deployment-tls-offload-engine-hosts" : {
"title" : "Trusted Remote Hosts",
"description" : "IP addresses of TLS-Offload Hosts<br><br>Token transformation which take X509 Certificates as the input token require that the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. If OpenAM is deployed in a TLS-offloaded environment, in which the TLS-offloader must communicate the client certificate to the rest-sts via an Http header, this certificate will only be accepted if the ip address(es) of the TLS-offload engines are specified in this list. Specify 'any' if a client certificate can be presented in the specified header by any rest-sts client.",
"propertyOrder" : 1000,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
}
}
/realm-config/services/sts/soap-sts
1.0
The SOAP STS endpoint is responsible for storing the configuration of instances of REST Security Token Services (STS). Available operations are create, read, update, delete, query, schema and template.
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"soapStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 3,
"properties" : {
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"issuer-name" : {
"title" : "SAML2 issuer Id",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 3400,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Custom Subject Provider Class Name ",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 3600,
"required" : false,
"type" : "boolean"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 4200,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4600,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 3700,
"required" : false,
"type" : "boolean"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 2700,
"required" : false,
"type" : "integer"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 3500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name ",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"soapStsSoap" : {
"type" : "object",
"title" : "Soap Keystore",
"propertyOrder" : 2,
"properties" : {
"soap-keystore-filename" : {
"title" : "Soap Keystore Location",
"description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"soap-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 1500,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 1800,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"soap-encryption-key-alias" : {
"title" : "Decryption Key Alias",
"description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"soap-encryption-key-password" : {
"title" : "Decryption Key Password",
"propertyOrder" : 2100,
"required" : false,
"type" : "string",
"format" : "password"
}
}
},
"soapStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token ",
"propertyOrder" : 4,
"properties" : {
"oidc-issuer" : {
"title" : "OpenID Connect Token Provider ID",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 5700,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 5500,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 5900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6400,
"required" : false,
"type" : "string"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"propertyOrder" : 6200,
"required" : false,
"type" : "string"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 4800,
"required" : false,
"type" : "integer"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 5200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6300,
"required" : false,
"type" : "string"
},
"oidc-authorized-party" : {
"title" : "Authorized Party ",
"description" : "Optional. Will be set in the azp claim",
"propertyOrder" : 6000,
"required" : false,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
}
}
},
"soapStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"delegation-relationship-supported" : {
"title" : "Delegation Relationships Supported",
"description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.",
"propertyOrder" : 1100,
"required" : false,
"type" : "boolean"
},
"delegation-custom-token-handlers" : {
"title" : "Custom Delegation Handlers ",
"description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.",
"propertyOrder" : 1300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-custom-service-port" : {
"title" : "Custom Port QName",
"description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"deployment-custom-wsdl-location" : {
"title" : "Custom wsdl File",
"description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"deployment-am-url" : {
"title" : "OpenAM URL",
"description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"delegation-validated-token-types" : {
"title" : "Delegated Token Types",
"description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-wsdl-location" : {
"title" : "Wsdl File Referencing Security Policy Binding Selection",
"description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"deployment-custom-service-name" : {
"title" : "Custom Service QName",
"description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"soapStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"security-policy-validated-token-config" : {
"title" : "Security Policy Validated Token",
"description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"issued-token-types" : {
"title" : "Issued Tokens",
"description" : "Determines which tokens this soap STS instance will issue",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
}
}
}
}
}
/realm-config/services/sts/soap-sts/{id}
1.0
The SOAP STS endpoint is responsible for storing the configuration of instances of REST Security Token Services (STS). Available operations are create, read, update, delete, query, schema and template.
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"soapStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 3,
"properties" : {
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"issuer-name" : {
"title" : "SAML2 issuer Id",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 3400,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Custom Subject Provider Class Name ",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 3600,
"required" : false,
"type" : "boolean"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 4200,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4600,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 3700,
"required" : false,
"type" : "boolean"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 2700,
"required" : false,
"type" : "integer"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 3500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name ",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"soapStsSoap" : {
"type" : "object",
"title" : "Soap Keystore",
"propertyOrder" : 2,
"properties" : {
"soap-keystore-filename" : {
"title" : "Soap Keystore Location",
"description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"soap-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 1500,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 1800,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"soap-encryption-key-alias" : {
"title" : "Decryption Key Alias",
"description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"soap-encryption-key-password" : {
"title" : "Decryption Key Password",
"propertyOrder" : 2100,
"required" : false,
"type" : "string",
"format" : "password"
}
}
},
"soapStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token ",
"propertyOrder" : 4,
"properties" : {
"oidc-issuer" : {
"title" : "OpenID Connect Token Provider ID",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 5700,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 5500,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 5900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6400,
"required" : false,
"type" : "string"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"propertyOrder" : 6200,
"required" : false,
"type" : "string"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 4800,
"required" : false,
"type" : "integer"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 5200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6300,
"required" : false,
"type" : "string"
},
"oidc-authorized-party" : {
"title" : "Authorized Party ",
"description" : "Optional. Will be set in the azp claim",
"propertyOrder" : 6000,
"required" : false,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
}
}
},
"soapStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"delegation-relationship-supported" : {
"title" : "Delegation Relationships Supported",
"description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.",
"propertyOrder" : 1100,
"required" : false,
"type" : "boolean"
},
"delegation-custom-token-handlers" : {
"title" : "Custom Delegation Handlers ",
"description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.",
"propertyOrder" : 1300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-custom-service-port" : {
"title" : "Custom Port QName",
"description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"deployment-custom-wsdl-location" : {
"title" : "Custom wsdl File",
"description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"deployment-am-url" : {
"title" : "OpenAM URL",
"description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"delegation-validated-token-types" : {
"title" : "Delegated Token Types",
"description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-wsdl-location" : {
"title" : "Wsdl File Referencing Security Policy Binding Selection",
"description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"deployment-custom-service-name" : {
"title" : "Custom Service QName",
"description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"soapStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"security-policy-validated-token-config" : {
"title" : "Security Policy Validated Token",
"description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"issued-token-types" : {
"title" : "Issued Tokens",
"description" : "Determines which tokens this soap STS instance will issue",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
}
}
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"soapStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 3,
"properties" : {
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"issuer-name" : {
"title" : "SAML2 issuer Id",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 3400,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Custom Subject Provider Class Name ",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 3600,
"required" : false,
"type" : "boolean"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 4200,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4600,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 3700,
"required" : false,
"type" : "boolean"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 2700,
"required" : false,
"type" : "integer"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 3500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name ",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"soapStsSoap" : {
"type" : "object",
"title" : "Soap Keystore",
"propertyOrder" : 2,
"properties" : {
"soap-keystore-filename" : {
"title" : "Soap Keystore Location",
"description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"soap-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 1500,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 1800,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"soap-encryption-key-alias" : {
"title" : "Decryption Key Alias",
"description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"soap-encryption-key-password" : {
"title" : "Decryption Key Password",
"propertyOrder" : 2100,
"required" : false,
"type" : "string",
"format" : "password"
}
}
},
"soapStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token ",
"propertyOrder" : 4,
"properties" : {
"oidc-issuer" : {
"title" : "OpenID Connect Token Provider ID",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 5700,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 5500,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 5900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6400,
"required" : false,
"type" : "string"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"propertyOrder" : 6200,
"required" : false,
"type" : "string"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 4800,
"required" : false,
"type" : "integer"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 5200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6300,
"required" : false,
"type" : "string"
},
"oidc-authorized-party" : {
"title" : "Authorized Party ",
"description" : "Optional. Will be set in the azp claim",
"propertyOrder" : 6000,
"required" : false,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
}
}
},
"soapStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"delegation-relationship-supported" : {
"title" : "Delegation Relationships Supported",
"description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.",
"propertyOrder" : 1100,
"required" : false,
"type" : "boolean"
},
"delegation-custom-token-handlers" : {
"title" : "Custom Delegation Handlers ",
"description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.",
"propertyOrder" : 1300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-custom-service-port" : {
"title" : "Custom Port QName",
"description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"deployment-custom-wsdl-location" : {
"title" : "Custom wsdl File",
"description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"deployment-am-url" : {
"title" : "OpenAM URL",
"description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"delegation-validated-token-types" : {
"title" : "Delegated Token Types",
"description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-wsdl-location" : {
"title" : "Wsdl File Referencing Security Policy Binding Selection",
"description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"deployment-custom-service-name" : {
"title" : "Custom Service QName",
"description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"soapStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"security-policy-validated-token-config" : {
"title" : "Security Policy Validated Token",
"description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"issued-token-types" : {
"title" : "Issued Tokens",
"description" : "Determines which tokens this soap STS instance will issue",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
}
}
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"soapStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 3,
"properties" : {
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"issuer-name" : {
"title" : "SAML2 issuer Id",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 3400,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Custom Subject Provider Class Name ",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 3600,
"required" : false,
"type" : "boolean"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 4200,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4600,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 3700,
"required" : false,
"type" : "boolean"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 2700,
"required" : false,
"type" : "integer"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 3500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name ",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"soapStsSoap" : {
"type" : "object",
"title" : "Soap Keystore",
"propertyOrder" : 2,
"properties" : {
"soap-keystore-filename" : {
"title" : "Soap Keystore Location",
"description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"soap-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 1500,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 1800,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"soap-encryption-key-alias" : {
"title" : "Decryption Key Alias",
"description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"soap-encryption-key-password" : {
"title" : "Decryption Key Password",
"propertyOrder" : 2100,
"required" : false,
"type" : "string",
"format" : "password"
}
}
},
"soapStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token ",
"propertyOrder" : 4,
"properties" : {
"oidc-issuer" : {
"title" : "OpenID Connect Token Provider ID",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 5700,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 5500,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 5900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6400,
"required" : false,
"type" : "string"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"propertyOrder" : 6200,
"required" : false,
"type" : "string"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 4800,
"required" : false,
"type" : "integer"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 5200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6300,
"required" : false,
"type" : "string"
},
"oidc-authorized-party" : {
"title" : "Authorized Party ",
"description" : "Optional. Will be set in the azp claim",
"propertyOrder" : 6000,
"required" : false,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
}
}
},
"soapStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"delegation-relationship-supported" : {
"title" : "Delegation Relationships Supported",
"description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.",
"propertyOrder" : 1100,
"required" : false,
"type" : "boolean"
},
"delegation-custom-token-handlers" : {
"title" : "Custom Delegation Handlers ",
"description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.",
"propertyOrder" : 1300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-custom-service-port" : {
"title" : "Custom Port QName",
"description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"deployment-custom-wsdl-location" : {
"title" : "Custom wsdl File",
"description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"deployment-am-url" : {
"title" : "OpenAM URL",
"description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"delegation-validated-token-types" : {
"title" : "Delegated Token Types",
"description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-wsdl-location" : {
"title" : "Wsdl File Referencing Security Policy Binding Selection",
"description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"deployment-custom-service-name" : {
"title" : "Custom Service QName",
"description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"soapStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"security-policy-validated-token-config" : {
"title" : "Security Policy Validated Token",
"description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"issued-token-types" : {
"title" : "Issued Tokens",
"description" : "Determines which tokens this soap STS instance will issue",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
}
}
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"soapStsSaml2" : {
"type" : "object",
"title" : "SAML2 Token",
"propertyOrder" : 3,
"properties" : {
"saml2-name-id-format" : {
"title" : "NameIdFormat",
"propertyOrder" : 2600,
"required" : true,
"type" : "string"
},
"saml2-custom-attribute-mapper-class-name" : {
"title" : "Custom Attribute Mapper Class Name",
"description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3300,
"required" : false,
"type" : "string"
},
"saml2-encryption-key-alias" : {
"title" : "Encryption Key Alias",
"description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.",
"propertyOrder" : 4400,
"required" : false,
"type" : "string"
},
"saml2-keystore-filename" : {
"title" : "KeystorePath",
"description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.",
"propertyOrder" : 4100,
"required" : false,
"type" : "string"
},
"saml2-custom-authz-decision-statements-provider-class-name" : {
"title" : "Custom Authorization Decision Statements Class Name",
"description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3200,
"required" : false,
"type" : "string"
},
"issuer-name" : {
"title" : "SAML2 issuer Id",
"propertyOrder" : 2300,
"required" : true,
"type" : "string"
},
"saml2-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.",
"propertyOrder" : 4500,
"required" : true,
"type" : "string"
},
"saml2-encryption-algorithm" : {
"title" : "Encryption Algorithm",
"description" : "Algorithm used to encrypt generated assertions.",
"propertyOrder" : 4000,
"required" : false,
"type" : "string"
},
"saml2-custom-authentication-statements-provider-class-name" : {
"title" : "Custom AuthenticationStatements Class Name",
"description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3000,
"required" : false,
"type" : "string"
},
"saml2-custom-authn-context-mapper-class-name" : {
"title" : "Custom Authentication Context Class Name",
"description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.",
"propertyOrder" : 3400,
"required" : false,
"type" : "string"
},
"saml2-sp-entity-id" : {
"title" : "Service Provider Entity Id",
"description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.",
"propertyOrder" : 2400,
"required" : true,
"type" : "string"
},
"saml2-custom-subject-provider-class-name" : {
"title" : "Custom Subject Provider Class Name ",
"description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2900,
"required" : false,
"type" : "string"
},
"saml2-sign-assertion" : {
"title" : "Sign Assertion",
"propertyOrder" : 3600,
"required" : false,
"type" : "boolean"
},
"saml2-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 4200,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 4600,
"required" : false,
"type" : "string",
"format" : "password"
},
"saml2-custom-attribute-statements-provider-class-name" : {
"title" : "Custom AttributeStatements Class Name",
"description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 3100,
"required" : false,
"type" : "string"
},
"saml2-encrypt-attributes" : {
"title" : "Encrypt Attributes",
"description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3800,
"required" : false,
"type" : "boolean"
},
"saml2-encrypt-nameid" : {
"title" : "Encrypt NameID",
"description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.",
"propertyOrder" : 3900,
"required" : false,
"type" : "boolean"
},
"saml2-sp-acs-url" : {
"title" : "Service Provider Assertion Consumer Service Url",
"description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.",
"propertyOrder" : 2500,
"required" : false,
"type" : "string"
},
"saml2-encrypt-assertion" : {
"title" : "Encrypt Assertion",
"description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.",
"propertyOrder" : 3700,
"required" : false,
"type" : "boolean"
},
"saml2-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 2700,
"required" : false,
"type" : "integer"
},
"saml2-attribute-map" : {
"title" : "Attribute Mappings",
"description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>",
"propertyOrder" : 3500,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"saml2-custom-conditions-provider-class-name" : {
"title" : "Custom Conditions Provider Class Name ",
"description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.",
"propertyOrder" : 2800,
"required" : false,
"type" : "string"
}
}
},
"soapStsSoap" : {
"type" : "object",
"title" : "Soap Keystore",
"propertyOrder" : 2,
"properties" : {
"soap-keystore-filename" : {
"title" : "Soap Keystore Location",
"description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.",
"propertyOrder" : 1400,
"required" : false,
"type" : "string"
},
"soap-keystore-password" : {
"title" : "Keystore Password",
"propertyOrder" : 1500,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 1800,
"required" : false,
"type" : "string",
"format" : "password"
},
"soap-signature-key-alias" : {
"title" : "Signature Key Alias",
"description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.",
"propertyOrder" : 1700,
"required" : true,
"type" : "string"
},
"soap-encryption-key-alias" : {
"title" : "Decryption Key Alias",
"description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.",
"propertyOrder" : 2000,
"required" : false,
"type" : "string"
},
"soap-encryption-key-password" : {
"title" : "Decryption Key Password",
"propertyOrder" : 2100,
"required" : false,
"type" : "string",
"format" : "password"
}
}
},
"soapStsOidc" : {
"type" : "object",
"title" : "OpenID Connect Token ",
"propertyOrder" : 4,
"properties" : {
"oidc-issuer" : {
"title" : "OpenID Connect Token Provider ID",
"propertyOrder" : 4700,
"required" : true,
"type" : "string"
},
"oidc-client-secret" : {
"title" : "Client Secret",
"description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.",
"propertyOrder" : 5700,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-password" : {
"title" : "Signature Key Password",
"propertyOrder" : 5500,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-audience" : {
"title" : "Issued Tokens Audience",
"description" : "Contents will be set in the aud claim",
"propertyOrder" : 5900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"oidc-custom-authn-method-references-mapper-class" : {
"title" : "Custom Authn Methods References Mapper Class",
"description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6400,
"required" : false,
"type" : "string"
},
"oidc-custom-claim-mapper-class" : {
"title" : "Custom Claim Mapper Class",
"propertyOrder" : 6200,
"required" : false,
"type" : "string"
},
"oidc-token-lifetime-seconds" : {
"title" : "Token Lifetime (Seconds)",
"propertyOrder" : 4800,
"required" : false,
"type" : "integer"
},
"oidc-claim-map" : {
"title" : "Claim Map",
"description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.",
"propertyOrder" : 6100,
"required" : false,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
},
"oidc-keystore-password" : {
"title" : "KeyStore Password",
"propertyOrder" : 5200,
"required" : true,
"type" : "string",
"format" : "password"
},
"oidc-signature-key-alias" : {
"title" : "KeyStore Signing Key Alias",
"description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.",
"propertyOrder" : 5400,
"required" : true,
"type" : "string"
},
"oidc-keystore-location" : {
"title" : "KeyStore Location",
"description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.",
"propertyOrder" : 5100,
"required" : true,
"type" : "string"
},
"oidc-signature-algorithm" : {
"title" : "Token Signature Algorithm",
"description" : "Algorithm used to sign issued OIDC tokens",
"propertyOrder" : 4900,
"required" : false,
"type" : "string"
},
"oidc-custom-authn-context-mapper-class" : {
"title" : "Custom Authn Context Mapper Class",
"description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.",
"propertyOrder" : 6300,
"required" : false,
"type" : "string"
},
"oidc-authorized-party" : {
"title" : "Authorized Party ",
"description" : "Optional. Will be set in the azp claim",
"propertyOrder" : 6000,
"required" : false,
"type" : "string"
},
"oidc-public-key-reference-type" : {
"title" : "Public Key Reference Type",
"description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt",
"propertyOrder" : 5000,
"required" : false,
"type" : "string"
}
}
},
"soapStsDeployment" : {
"type" : "object",
"title" : "Deployment",
"propertyOrder" : 1,
"properties" : {
"delegation-relationship-supported" : {
"title" : "Delegation Relationships Supported",
"description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.",
"propertyOrder" : 1100,
"required" : false,
"type" : "boolean"
},
"delegation-custom-token-handlers" : {
"title" : "Custom Delegation Handlers ",
"description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.",
"propertyOrder" : 1300,
"required" : false,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-auth-target-mappings" : {
"title" : "Authentication Target Mappings",
"description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.",
"propertyOrder" : 500,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-custom-service-port" : {
"title" : "Custom Port QName",
"description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>",
"propertyOrder" : 1000,
"required" : false,
"type" : "string"
},
"deployment-custom-wsdl-location" : {
"title" : "Custom wsdl File",
"description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.",
"propertyOrder" : 800,
"required" : false,
"type" : "string"
},
"deployment-am-url" : {
"title" : "OpenAM URL",
"description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.",
"propertyOrder" : 600,
"required" : true,
"type" : "string"
},
"delegation-validated-token-types" : {
"title" : "Delegated Token Types",
"description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.",
"propertyOrder" : 1200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deployment-wsdl-location" : {
"title" : "Wsdl File Referencing Security Policy Binding Selection",
"description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"deployment-custom-service-name" : {
"title" : "Custom Service QName",
"description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>",
"propertyOrder" : 900,
"required" : false,
"type" : "string"
}
}
},
"soapStsGeneral" : {
"type" : "object",
"title" : "General",
"propertyOrder" : 0,
"properties" : {
"security-policy-validated-token-config" : {
"title" : "Security Policy Validated Token",
"description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.",
"propertyOrder" : 300,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"issued-token-types" : {
"title" : "Issued Tokens",
"description" : "Determines which tokens this soap STS instance will issue",
"propertyOrder" : 200,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"persist-issued-tokens-in-cts" : {
"title" : "Persist Issued Tokens in Core Token Store",
"description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.",
"propertyOrder" : 100,
"required" : false,
"type" : "boolean"
}
}
}
}
}
/realm-config/services/transaction
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"timeToLive" : {
"title" : "Time to Live",
"description" : "The number of seconds within which the transaction must be completed.",
"propertyOrder" : 0,
"required" : true,
"type" : "string"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"timeToLive" : {
"title" : "Time to Live",
"description" : "The number of seconds within which the transaction must be completed.",
"propertyOrder" : 0,
"required" : true,
"type" : "string"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"timeToLive" : {
"title" : "Time to Live",
"description" : "The number of seconds within which the transaction must be completed.",
"propertyOrder" : 0,
"required" : true,
"type" : "string"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"timeToLive" : {
"title" : "Time to Live",
"description" : "The number of seconds within which the transaction must be completed.",
"propertyOrder" : 0,
"required" : true,
"type" : "string"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/uma
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"emailRequestingPartyOnPendingRequestApproval" : {
"title" : "Email Requesting Party on Pending Request approval",
"description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"emailResourceOwnerOnPendingRequestCreation" : {
"title" : "Email Resource Owner on Pending Request creation",
"description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"resharingMode" : {
"title" : "Re-Sharing Mode",
"description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resource sets that have been shared with them.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userProfileLocaleAttribute" : {
"title" : "User profile preferred Locale attribute",
"description" : "User profile attribute storing the user's preferred locale.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"grantRptConditions" : {
"title" : "Grant RPTs...",
"description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deleteResourceSetsOnDeleteRS" : {
"title" : "Delete resource sets when Resource Server is removed",
"description" : "Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"deletePoliciesOnDeleteRS" : {
"title" : "Delete user policies when Resource Server is removed",
"description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"permissionTicketLifetime" : {
"title" : "Permission Ticket Lifetime (seconds)",
"description" : "The maximum life of a permission ticket before it expires, in seconds.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"pendingRequestsEnabled" : {
"title" : "Pending Requests Enabled",
"description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
"propertyOrder" : 450,
"required" : true,
"type" : "boolean"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"emailRequestingPartyOnPendingRequestApproval" : {
"title" : "Email Requesting Party on Pending Request approval",
"description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"emailResourceOwnerOnPendingRequestCreation" : {
"title" : "Email Resource Owner on Pending Request creation",
"description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"resharingMode" : {
"title" : "Re-Sharing Mode",
"description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resource sets that have been shared with them.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userProfileLocaleAttribute" : {
"title" : "User profile preferred Locale attribute",
"description" : "User profile attribute storing the user's preferred locale.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"grantRptConditions" : {
"title" : "Grant RPTs...",
"description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deleteResourceSetsOnDeleteRS" : {
"title" : "Delete resource sets when Resource Server is removed",
"description" : "Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"deletePoliciesOnDeleteRS" : {
"title" : "Delete user policies when Resource Server is removed",
"description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"permissionTicketLifetime" : {
"title" : "Permission Ticket Lifetime (seconds)",
"description" : "The maximum life of a permission ticket before it expires, in seconds.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"pendingRequestsEnabled" : {
"title" : "Pending Requests Enabled",
"description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
"propertyOrder" : 450,
"required" : true,
"type" : "boolean"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"emailRequestingPartyOnPendingRequestApproval" : {
"title" : "Email Requesting Party on Pending Request approval",
"description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"emailResourceOwnerOnPendingRequestCreation" : {
"title" : "Email Resource Owner on Pending Request creation",
"description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"resharingMode" : {
"title" : "Re-Sharing Mode",
"description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resource sets that have been shared with them.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userProfileLocaleAttribute" : {
"title" : "User profile preferred Locale attribute",
"description" : "User profile attribute storing the user's preferred locale.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"grantRptConditions" : {
"title" : "Grant RPTs...",
"description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deleteResourceSetsOnDeleteRS" : {
"title" : "Delete resource sets when Resource Server is removed",
"description" : "Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"deletePoliciesOnDeleteRS" : {
"title" : "Delete user policies when Resource Server is removed",
"description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"permissionTicketLifetime" : {
"title" : "Permission Ticket Lifetime (seconds)",
"description" : "The maximum life of a permission ticket before it expires, in seconds.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"pendingRequestsEnabled" : {
"title" : "Pending Requests Enabled",
"description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
"propertyOrder" : 450,
"required" : true,
"type" : "boolean"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"emailRequestingPartyOnPendingRequestApproval" : {
"title" : "Email Requesting Party on Pending Request approval",
"description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
"propertyOrder" : 600,
"required" : true,
"type" : "boolean"
},
"emailResourceOwnerOnPendingRequestCreation" : {
"title" : "Email Resource Owner on Pending Request creation",
"description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean"
},
"resharingMode" : {
"title" : "Re-Sharing Mode",
"description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resource sets that have been shared with them.",
"propertyOrder" : 800,
"required" : true,
"type" : "string"
},
"userProfileLocaleAttribute" : {
"title" : "User profile preferred Locale attribute",
"description" : "User profile attribute storing the user's preferred locale.",
"propertyOrder" : 700,
"required" : true,
"type" : "string"
},
"grantRptConditions" : {
"title" : "Grant RPTs...",
"description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
"propertyOrder" : 900,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
},
"deleteResourceSetsOnDeleteRS" : {
"title" : "Delete resource sets when Resource Server is removed",
"description" : "Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 400,
"required" : true,
"type" : "boolean"
},
"deletePoliciesOnDeleteRS" : {
"title" : "Delete user policies when Resource Server is removed",
"description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
"propertyOrder" : 300,
"required" : true,
"type" : "boolean"
},
"permissionTicketLifetime" : {
"title" : "Permission Ticket Lifetime (seconds)",
"description" : "The maximum life of a permission ticket before it expires, in seconds.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"pendingRequestsEnabled" : {
"title" : "Pending Requests Enabled",
"description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
"propertyOrder" : 450,
"required" : true,
"type" : "boolean"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/user
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"defaultUserStatus" : {
"title" : "Default User Status",
"description" : "Inactive users cannot authenticate, though OpenAM stores their profiles.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"preferredTimezone" : {
"title" : "User Preferred Timezone",
"description" : "Time zone for accessing OpenAM console.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"adminDNStartingView" : {
"title" : "Administrator DN Starting View",
"description" : "Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"defaultUserStatus" : {
"title" : "Default User Status",
"description" : "Inactive users cannot authenticate, though OpenAM stores their profiles.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"preferredTimezone" : {
"title" : "User Preferred Timezone",
"description" : "Time zone for accessing OpenAM console.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"adminDNStartingView" : {
"title" : "Administrator DN Starting View",
"description" : "Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"defaultUserStatus" : {
"title" : "Default User Status",
"description" : "Inactive users cannot authenticate, though OpenAM stores their profiles.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"preferredTimezone" : {
"title" : "User Preferred Timezone",
"description" : "Time zone for accessing OpenAM console.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"adminDNStartingView" : {
"title" : "Administrator DN Starting View",
"description" : "Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"dynamic" : {
"properties" : {
"defaultUserStatus" : {
"title" : "Default User Status",
"description" : "Inactive users cannot authenticate, though OpenAM stores their profiles.",
"propertyOrder" : 300,
"required" : true,
"type" : "string"
},
"preferredTimezone" : {
"title" : "User Preferred Timezone",
"description" : "Time zone for accessing OpenAM console.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"adminDNStartingView" : {
"title" : "Administrator DN Starting View",
"description" : "Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.",
"propertyOrder" : 200,
"required" : false,
"type" : "string"
}
},
"type" : "object",
"title" : "Dynamic Attributes"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/services/validation
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
✓ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"validGotoDestinations" : {
"title" : "Valid goto URL Resources",
"description" : "List of valid goto URL resources.<br><br>OpenAM's default behavior after login or logout is to redirect the user to the URL specified in the <code>goto</code> or <code>gotoOnFail</code> query string parameters supplied to the authentication interface during login or logout. <p><p>To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the <code>goto</code> and <code>gotoOnFail</code> URL against them. <p><p>OpenAM will only redirect a user after login or logout if the URL matches any of the resources specified in this property. If the URL does not match, the user is redirected to either the user profile page or administration console after login, or the logged out page after logout. If this property is not set, it is assumed that all redirect URLs are valid.<p><p>The resources defined here can have the <code>*</code> wildcard defined, which matches all characters except <code>?</code>. Example values for this setting:<ul><li><code>http://app.example.com:80/*</code></li><li><code>http://app.example.com:80/*?*</code></li></ul>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"validGotoDestinations" : {
"title" : "Valid goto URL Resources",
"description" : "List of valid goto URL resources.<br><br>OpenAM's default behavior after login or logout is to redirect the user to the URL specified in the <code>goto</code> or <code>gotoOnFail</code> query string parameters supplied to the authentication interface during login or logout. <p><p>To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the <code>goto</code> and <code>gotoOnFail</code> URL against them. <p><p>OpenAM will only redirect a user after login or logout if the URL matches any of the resources specified in this property. If the URL does not match, the user is redirected to either the user profile page or administration console after login, or the logged out page after logout. If this property is not set, it is assumed that all redirect URLs are valid.<p><p>The resources defined here can have the <code>*</code> wildcard defined, which matches all characters except <code>?</code>. Example values for this setting:<ul><li><code>http://app.example.com:80/*</code></li><li><code>http://app.example.com:80/*?*</code></li></ul>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"validGotoDestinations" : {
"title" : "Valid goto URL Resources",
"description" : "List of valid goto URL resources.<br><br>OpenAM's default behavior after login or logout is to redirect the user to the URL specified in the <code>goto</code> or <code>gotoOnFail</code> query string parameters supplied to the authentication interface during login or logout. <p><p>To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the <code>goto</code> and <code>gotoOnFail</code> URL against them. <p><p>OpenAM will only redirect a user after login or logout if the URL matches any of the resources specified in this property. If the URL does not match, the user is redirected to either the user profile page or administration console after login, or the logged out page after logout. If this property is not set, it is assumed that all redirect URLs are valid.<p><p>The resources defined here can have the <code>*</code> wildcard defined, which matches all characters except <code>?</code>. Example values for this setting:<ul><li><code>http://app.example.com:80/*</code></li><li><code>http://app.example.com:80/*?*</code></li></ul>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"validGotoDestinations" : {
"title" : "Valid goto URL Resources",
"description" : "List of valid goto URL resources.<br><br>OpenAM's default behavior after login or logout is to redirect the user to the URL specified in the <code>goto</code> or <code>gotoOnFail</code> query string parameters supplied to the authentication interface during login or logout. <p><p>To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the <code>goto</code> and <code>gotoOnFail</code> URL against them. <p><p>OpenAM will only redirect a user after login or logout if the URL matches any of the resources specified in this property. If the URL does not match, the user is redirected to either the user profile page or administration console after login, or the logged out page after logout. If this property is not set, it is assumed that all redirect URLs are valid.<p><p>The resources defined here can have the <code>*</code> wildcard defined, which matches all characters except <code>?</code>. Example values for this setting:<ul><li><code>http://app.example.com:80/*</code></li><li><code>http://app.example.com:80/*?*</code></li></ul>",
"propertyOrder" : 100,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
/realm-config/webhooks
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"body" : {
"title" : "Body",
"description" : "The webhook body to be sent in the http request.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"url" : {
"title" : "Url",
"description" : "The webhook url that is used to create the http call for this webhook.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"headers" : {
"title" : "Headers",
"description" : "The webhook headers added to the http request.",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Query by Filter
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"body" : {
"title" : "Body",
"description" : "The webhook body to be sent in the http request.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"url" : {
"title" : "Url",
"description" : "The webhook url that is used to create the http call for this webhook.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"headers" : {
"title" : "Headers",
"description" : "The webhook headers added to the http request.",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
}
/realm-config/webhooks/{id}
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"body" : {
"title" : "Body",
"description" : "The webhook body to be sent in the http request.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"url" : {
"title" : "Url",
"description" : "The webhook url that is used to create the http call for this webhook.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"headers" : {
"title" : "Headers",
"description" : "The webhook headers added to the http request.",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"body" : {
"title" : "Body",
"description" : "The webhook body to be sent in the http request.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"url" : {
"title" : "Url",
"description" : "The webhook url that is used to create the http call for this webhook.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"headers" : {
"title" : "Headers",
"description" : "The webhook headers added to the http request.",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"body" : {
"title" : "Body",
"description" : "The webhook body to be sent in the http request.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"url" : {
"title" : "Url",
"description" : "The webhook url that is used to create the http call for this webhook.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"headers" : {
"title" : "Headers",
"description" : "The webhook headers added to the http request.",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"body" : {
"title" : "Body",
"description" : "The webhook body to be sent in the http request.",
"propertyOrder" : 200,
"required" : true,
"type" : "string"
},
"url" : {
"title" : "Url",
"description" : "The webhook url that is used to create the http call for this webhook.",
"propertyOrder" : 100,
"required" : true,
"type" : "string"
},
"headers" : {
"title" : "Headers",
"description" : "The webhook headers added to the http request.",
"propertyOrder" : 300,
"required" : true,
"patternProperties" : {
".*" : {
"type" : "string"
}
},
"type" : "object"
}
}
}
/records
1.0
Service for creating records.
Action: start
Starts recording.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "The properties of a Record, which can deserialized from json.",
"type" : "object",
"title" : "Record properties",
"properties" : {
"issueID" : {
"description" : "A case number is a good choice for the issueID value.",
"title" : "Issue ID",
"type" : "integer",
"format" : "int64"
},
"referenceID" : {
"description" : "A second identifier to segregate multiple recording events for the same issue.",
"title" : "Reference ID",
"type" : "string"
},
"description" : {
"description" : "A textual description of the recording event.",
"title" : "Description",
"type" : "string"
},
"threadDumpDelayInSeconds" : {
"description" : "Object used to specify an interval at which thread dumps are taken. The initial thread dump is taken at the start of the recording event; subsequent thread dumps are taken at multiples of the delay interval.",
"title" : "Thread dump delay in seconds",
"type" : "integer",
"format" : "int64"
},
"configExportPassword" : {
"description" : "A key required to import the exported configuration.",
"title" : "Config export password",
"type" : "string"
},
"debugLevel" : {
"description" : "The debug level to set for the recording event.",
"title" : "Debug level",
"type" : "string",
"enum" : [ "OFF", "ERROR", "WARNING", "MESSAGE", "ON" ]
},
"autoStopTimeInMS" : {
"description" : "Used to specify an event that automatically ends a recording period. For time-based termination, specify a time object; for termination based on uncompressed file size, specify a fileSize object. If you specify both time and fileSize objects, the event that occurs first causes recording to stop.",
"title" : "Auto stop time in milliseconds",
"type" : "integer",
"format" : "int64"
},
"configExportSharePasswordEnabled" : {
"description" : "Whether to show the password value in the ssoadm start-recording, ssoadm get-recording-status, ssoadm stop-recording output and in the info.json file.",
"title" : "Config export share password enabled",
"type" : "boolean"
},
"autoStopFileSizeInKB" : {
"description" : "Configures a recording period to terminate after the aggregate size of uncompressed debug logs has reached this size.",
"title" : "Auto stop file size in KB",
"type" : "integer",
"format" : "int64"
},
"threadDumpEnabled" : {
"description" : "Whether to dump threads during the recording event.",
"title" : "Thread dump enabled",
"type" : "boolean"
},
"configExportEnabled" : {
"description" : "Whether to export the OpenAM configuration upon completion of the recording event.",
"title" : "Config export enabled",
"type" : "boolean"
},
"autoStopEnabled" : {
"description" : "Whether auto stop is enabled.",
"title" : "Auto stop enabled",
"type" : "boolean"
},
"autoStopTimeEnabled" : {
"description" : "Whether time is specified for the auto stop.",
"title" : "Auto stop time enabled",
"type" : "boolean"
},
"autoStopFileSizeEnabled" : {
"description" : "Whether file size is enabled for the auto stop.",
"title" : "Auto stop file size enabled",
"type" : "boolean"
},
"zipEnabled" : {
"description" : "Whether to compress the output directory into a zip file when recording has stopped.",
"title" : "Zip enabled",
"type" : "boolean"
}
}
}
This operation returns a response resource that conforms to the following schema:
{
"record" : {
"type" : "object",
"description" : "Represents a Record.",
"title" : "Record",
"properties" : {
"recordProperties" : {
"type" : "object",
"description" : "The properties of a Record, which can deserialized from json.",
"title" : "Record properties",
"properties" : {
"issueID" : {
"description" : "A case number is a good choice for the issueID value.",
"title" : "Issue ID",
"type" : "integer",
"format" : "int64"
},
"referenceID" : {
"description" : "A second identifier to segregate multiple recording events for the same issue.",
"title" : "Reference ID",
"type" : "string"
},
"description" : {
"description" : "A textual description of the recording event.",
"title" : "Description",
"type" : "string"
},
"threadDumpDelayInSeconds" : {
"description" : "Object used to specify an interval at which thread dumps are taken. The initial thread dump is taken at the start of the recording event; subsequent thread dumps are taken at multiples of the delay interval.",
"title" : "Thread dump delay in seconds",
"type" : "integer",
"format" : "int64"
},
"configExportPassword" : {
"description" : "A key required to import the exported configuration.",
"title" : "Config export password",
"type" : "string"
},
"debugLevel" : {
"description" : "The debug level to set for the recording event.",
"title" : "Debug level",
"type" : "string",
"enum" : [ "OFF", "ERROR", "WARNING", "MESSAGE", "ON" ]
},
"autoStopTimeInMS" : {
"description" : "Used to specify an event that automatically ends a recording period. For time-based termination, specify a time object; for termination based on uncompressed file size, specify a fileSize object. If you specify both time and fileSize objects, the event that occurs first causes recording to stop.",
"title" : "Auto stop time in milliseconds",
"type" : "integer",
"format" : "int64"
},
"configExportSharePasswordEnabled" : {
"description" : "Whether to show the password value in the ssoadm start-recording, ssoadm get-recording-status, ssoadm stop-recording output and in the info.json file.",
"title" : "Config export share password enabled",
"type" : "boolean"
},
"autoStopFileSizeInKB" : {
"description" : "Configures a recording period to terminate after the aggregate size of uncompressed debug logs has reached this size.",
"title" : "Auto stop file size in KB",
"type" : "integer",
"format" : "int64"
},
"threadDumpEnabled" : {
"description" : "Whether to dump threads during the recording event.",
"title" : "Thread dump enabled",
"type" : "boolean"
},
"configExportEnabled" : {
"description" : "Whether to export the OpenAM configuration upon completion of the recording event.",
"title" : "Config export enabled",
"type" : "boolean"
},
"autoStopEnabled" : {
"description" : "Whether auto stop is enabled.",
"title" : "Auto stop enabled",
"type" : "boolean"
},
"autoStopTimeEnabled" : {
"description" : "Whether time is specified for the auto stop.",
"title" : "Auto stop time enabled",
"type" : "boolean"
},
"autoStopFileSizeEnabled" : {
"description" : "Whether file size is enabled for the auto stop.",
"title" : "Auto stop file size enabled",
"type" : "boolean"
},
"zipEnabled" : {
"description" : "Whether to compress the output directory into a zip file when recording has stopped.",
"title" : "Zip enabled",
"type" : "boolean"
}
}
},
"recordStatus" : {
"description" : "The Status a record log can be in.",
"title" : "Record status",
"type" : "string",
"enum" : [ "INITIALIZED", "RUNNING", "STOPPED" ]
},
"folderPath" : {
"description" : "A path to the folder that contains the record log.",
"title" : "Folder path",
"type" : "string"
},
"recordsHistory" : {
"description" : "A read only map of RecordStatus, keyed by the time they occurred.",
"title" : "Records history",
"type" : "object",
"additionalProperties" : {
"type" : "string",
"enum" : [ "INITIALIZED", "RUNNING", "STOPPED" ]
}
}
}
},
"recording" : {
"type" : "boolean",
"description" : "The recording status. True if it is recording.",
"title" : "Recording"
},
"type" : "object"
}
| Code | Description |
|---|---|
|
Record not found |
Action: status
Returns status of recording.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"record" : {
"type" : "object",
"description" : "Represents a Record.",
"title" : "Record",
"properties" : {
"recordProperties" : {
"type" : "object",
"description" : "The properties of a Record, which can deserialized from json.",
"title" : "Record properties",
"properties" : {
"issueID" : {
"description" : "A case number is a good choice for the issueID value.",
"title" : "Issue ID",
"type" : "integer",
"format" : "int64"
},
"referenceID" : {
"description" : "A second identifier to segregate multiple recording events for the same issue.",
"title" : "Reference ID",
"type" : "string"
},
"description" : {
"description" : "A textual description of the recording event.",
"title" : "Description",
"type" : "string"
},
"threadDumpDelayInSeconds" : {
"description" : "Object used to specify an interval at which thread dumps are taken. The initial thread dump is taken at the start of the recording event; subsequent thread dumps are taken at multiples of the delay interval.",
"title" : "Thread dump delay in seconds",
"type" : "integer",
"format" : "int64"
},
"configExportPassword" : {
"description" : "A key required to import the exported configuration.",
"title" : "Config export password",
"type" : "string"
},
"debugLevel" : {
"description" : "The debug level to set for the recording event.",
"title" : "Debug level",
"type" : "string",
"enum" : [ "OFF", "ERROR", "WARNING", "MESSAGE", "ON" ]
},
"autoStopTimeInMS" : {
"description" : "Used to specify an event that automatically ends a recording period. For time-based termination, specify a time object; for termination based on uncompressed file size, specify a fileSize object. If you specify both time and fileSize objects, the event that occurs first causes recording to stop.",
"title" : "Auto stop time in milliseconds",
"type" : "integer",
"format" : "int64"
},
"configExportSharePasswordEnabled" : {
"description" : "Whether to show the password value in the ssoadm start-recording, ssoadm get-recording-status, ssoadm stop-recording output and in the info.json file.",
"title" : "Config export share password enabled",
"type" : "boolean"
},
"autoStopFileSizeInKB" : {
"description" : "Configures a recording period to terminate after the aggregate size of uncompressed debug logs has reached this size.",
"title" : "Auto stop file size in KB",
"type" : "integer",
"format" : "int64"
},
"threadDumpEnabled" : {
"description" : "Whether to dump threads during the recording event.",
"title" : "Thread dump enabled",
"type" : "boolean"
},
"configExportEnabled" : {
"description" : "Whether to export the OpenAM configuration upon completion of the recording event.",
"title" : "Config export enabled",
"type" : "boolean"
},
"autoStopEnabled" : {
"description" : "Whether auto stop is enabled.",
"title" : "Auto stop enabled",
"type" : "boolean"
},
"autoStopTimeEnabled" : {
"description" : "Whether time is specified for the auto stop.",
"title" : "Auto stop time enabled",
"type" : "boolean"
},
"autoStopFileSizeEnabled" : {
"description" : "Whether file size is enabled for the auto stop.",
"title" : "Auto stop file size enabled",
"type" : "boolean"
},
"zipEnabled" : {
"description" : "Whether to compress the output directory into a zip file when recording has stopped.",
"title" : "Zip enabled",
"type" : "boolean"
}
}
},
"recordStatus" : {
"description" : "The Status a record log can be in.",
"title" : "Record status",
"type" : "string",
"enum" : [ "INITIALIZED", "RUNNING", "STOPPED" ]
},
"folderPath" : {
"description" : "A path to the folder that contains the record log.",
"title" : "Folder path",
"type" : "string"
},
"recordsHistory" : {
"description" : "A read only map of RecordStatus, keyed by the time they occurred.",
"title" : "Records history",
"type" : "object",
"additionalProperties" : {
"type" : "string",
"enum" : [ "INITIALIZED", "RUNNING", "STOPPED" ]
}
}
}
},
"recording" : {
"type" : "boolean",
"description" : "The recording status. True if it is recording.",
"title" : "Recording"
},
"type" : "object"
}
Action: stop
Stops recording.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"record" : {
"type" : "object",
"description" : "Represents a Record.",
"title" : "Record",
"properties" : {
"recordProperties" : {
"type" : "object",
"description" : "The properties of a Record, which can deserialized from json.",
"title" : "Record properties",
"properties" : {
"issueID" : {
"description" : "A case number is a good choice for the issueID value.",
"title" : "Issue ID",
"type" : "integer",
"format" : "int64"
},
"referenceID" : {
"description" : "A second identifier to segregate multiple recording events for the same issue.",
"title" : "Reference ID",
"type" : "string"
},
"description" : {
"description" : "A textual description of the recording event.",
"title" : "Description",
"type" : "string"
},
"threadDumpDelayInSeconds" : {
"description" : "Object used to specify an interval at which thread dumps are taken. The initial thread dump is taken at the start of the recording event; subsequent thread dumps are taken at multiples of the delay interval.",
"title" : "Thread dump delay in seconds",
"type" : "integer",
"format" : "int64"
},
"configExportPassword" : {
"description" : "A key required to import the exported configuration.",
"title" : "Config export password",
"type" : "string"
},
"debugLevel" : {
"description" : "The debug level to set for the recording event.",
"title" : "Debug level",
"type" : "string",
"enum" : [ "OFF", "ERROR", "WARNING", "MESSAGE", "ON" ]
},
"autoStopTimeInMS" : {
"description" : "Used to specify an event that automatically ends a recording period. For time-based termination, specify a time object; for termination based on uncompressed file size, specify a fileSize object. If you specify both time and fileSize objects, the event that occurs first causes recording to stop.",
"title" : "Auto stop time in milliseconds",
"type" : "integer",
"format" : "int64"
},
"configExportSharePasswordEnabled" : {
"description" : "Whether to show the password value in the ssoadm start-recording, ssoadm get-recording-status, ssoadm stop-recording output and in the info.json file.",
"title" : "Config export share password enabled",
"type" : "boolean"
},
"autoStopFileSizeInKB" : {
"description" : "Configures a recording period to terminate after the aggregate size of uncompressed debug logs has reached this size.",
"title" : "Auto stop file size in KB",
"type" : "integer",
"format" : "int64"
},
"threadDumpEnabled" : {
"description" : "Whether to dump threads during the recording event.",
"title" : "Thread dump enabled",
"type" : "boolean"
},
"configExportEnabled" : {
"description" : "Whether to export the OpenAM configuration upon completion of the recording event.",
"title" : "Config export enabled",
"type" : "boolean"
},
"autoStopEnabled" : {
"description" : "Whether auto stop is enabled.",
"title" : "Auto stop enabled",
"type" : "boolean"
},
"autoStopTimeEnabled" : {
"description" : "Whether time is specified for the auto stop.",
"title" : "Auto stop time enabled",
"type" : "boolean"
},
"autoStopFileSizeEnabled" : {
"description" : "Whether file size is enabled for the auto stop.",
"title" : "Auto stop file size enabled",
"type" : "boolean"
},
"zipEnabled" : {
"description" : "Whether to compress the output directory into a zip file when recording has stopped.",
"title" : "Zip enabled",
"type" : "boolean"
}
}
},
"recordStatus" : {
"description" : "The Status a record log can be in.",
"title" : "Record status",
"type" : "string",
"enum" : [ "INITIALIZED", "RUNNING", "STOPPED" ]
},
"folderPath" : {
"description" : "A path to the folder that contains the record log.",
"title" : "Folder path",
"type" : "string"
},
"recordsHistory" : {
"description" : "A read only map of RecordStatus, keyed by the time they occurred.",
"title" : "Records history",
"type" : "object",
"additionalProperties" : {
"type" : "string",
"enum" : [ "INITIALIZED", "RUNNING", "STOPPED" ]
}
}
}
},
"recording" : {
"type" : "boolean",
"description" : "The recording status. True if it is recording.",
"title" : "Recording"
},
"type" : "object"
}
| Code | Description |
|---|---|
|
Record not found |
/resourcetypes
1.0
The Resource Types resource is responsible for managing resource types, which define a template for the resources that Managing Policies policies apply to, and the actions associated with those resources. Available operations are Query, Read, Create, Update, Delete
Create
Create new resource type
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Resource Types Resource schema",
"type" : "object",
"title" : "Resource Types Resource schema",
"properties" : {
"uuid" : {
"title" : "UUID",
"description" : "Unique identifier of the record",
"type" : "string"
},
"name" : {
"title" : "Name",
"description" : "Resource type name",
"type" : "string"
},
"description" : {
"title" : "Description",
"description" : "Resource type description",
"type" : "string"
},
"patterns" : {
"title" : "Patterns",
"description" : "Resource type patterns",
"type" : "array",
"items" : {
"type" : "string"
}
},
"actions" : {
"title" : "Actions",
"description" : "Resource type actions",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject created the resource type",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the resource type. If the resource type has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the resource typ has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Cannot retrieve subject from the Resource type object * The provided resourceId does not match to the UUID in the json file |
|
The request could not be completed due to a conflict with the current state of the target resource. Resource type already exists |
|
Unexpected server error happened during the process. The cause can be the following: * Invalid Json value provided in the request |
Query by Filter
Query the collection of resource types
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Resource Types Resource schema",
"type" : "object",
"title" : "Resource Types Resource schema",
"properties" : {
"uuid" : {
"title" : "UUID",
"description" : "Unique identifier of the record",
"type" : "string"
},
"name" : {
"title" : "Name",
"description" : "Resource type name",
"type" : "string"
},
"description" : {
"title" : "Description",
"description" : "Resource type description",
"type" : "string"
},
"patterns" : {
"title" : "Patterns",
"description" : "Resource type patterns",
"type" : "array",
"items" : {
"type" : "string"
}
},
"actions" : {
"title" : "Actions",
"description" : "Resource type actions",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject created the resource type",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the resource type. If the resource type has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the resource typ has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
}
}
| Code | Description |
|---|---|
|
Not Found error. The Resource Type could not been found. |
|
Unexpected server error happened during the process. The cause can be the following: * Invalid Json value provided in the request |
/resourcetypes/{resourceId}
1.0
The Resource Types resource is responsible for managing resource types, which define a template for the resources that Managing Policies policies apply to, and the actions associated with those resources. Available operations are Query, Read, Create, Update, Delete
Create
Create new resource type
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the Resource types |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Resource Types Resource schema",
"type" : "object",
"title" : "Resource Types Resource schema",
"properties" : {
"uuid" : {
"title" : "UUID",
"description" : "Unique identifier of the record",
"type" : "string"
},
"name" : {
"title" : "Name",
"description" : "Resource type name",
"type" : "string"
},
"description" : {
"title" : "Description",
"description" : "Resource type description",
"type" : "string"
},
"patterns" : {
"title" : "Patterns",
"description" : "Resource type patterns",
"type" : "array",
"items" : {
"type" : "string"
}
},
"actions" : {
"title" : "Actions",
"description" : "Resource type actions",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject created the resource type",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the resource type. If the resource type has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the resource typ has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Cannot retrieve subject from the Resource type object * The provided resourceId does not match to the UUID in the json file |
|
The request could not be completed due to a conflict with the current state of the target resource. Resource type already exists |
|
Unexpected server error happened during the process. The cause can be the following: * Invalid Json value provided in the request |
Read
Read from the resource types collection by unique identifier
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the Resource types |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Resource Types Resource schema",
"type" : "object",
"title" : "Resource Types Resource schema",
"properties" : {
"uuid" : {
"title" : "UUID",
"description" : "Unique identifier of the record",
"type" : "string"
},
"name" : {
"title" : "Name",
"description" : "Resource type name",
"type" : "string"
},
"description" : {
"title" : "Description",
"description" : "Resource type description",
"type" : "string"
},
"patterns" : {
"title" : "Patterns",
"description" : "Resource type patterns",
"type" : "array",
"items" : {
"type" : "string"
}
},
"actions" : {
"title" : "Actions",
"description" : "Resource type actions",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject created the resource type",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the resource type. If the resource type has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the resource typ has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
}
}
| Code | Description |
|---|---|
|
Not Found error. The Resource Type could not been found. |
|
Unexpected server error happened during the process. The cause can be the following: * Invalid Json value provided in the request |
Update
Update an existing resource type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the Resource types |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Resource Types Resource schema",
"type" : "object",
"title" : "Resource Types Resource schema",
"properties" : {
"uuid" : {
"title" : "UUID",
"description" : "Unique identifier of the record",
"type" : "string"
},
"name" : {
"title" : "Name",
"description" : "Resource type name",
"type" : "string"
},
"description" : {
"title" : "Description",
"description" : "Resource type description",
"type" : "string"
},
"patterns" : {
"title" : "Patterns",
"description" : "Resource type patterns",
"type" : "array",
"items" : {
"type" : "string"
}
},
"actions" : {
"title" : "Actions",
"description" : "Resource type actions",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject created the resource type",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the resource type. If the resource type has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the resource typ has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Cannot retrieve subject from the Resource type object * The provided resourceId does not match to the UUID in the json file |
|
Not Found error. The Resource Type could not been found. |
|
The request could not be completed due to a conflict with the current state of the target resource. Resource type already exists |
|
Unexpected server error happened during the process. The cause can be the following: * Invalid Json value provided in the request |
Delete
Delete resource type
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the Resource types |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Resource Types Resource schema",
"type" : "object",
"title" : "Resource Types Resource schema",
"properties" : {
"uuid" : {
"title" : "UUID",
"description" : "Unique identifier of the record",
"type" : "string"
},
"name" : {
"title" : "Name",
"description" : "Resource type name",
"type" : "string"
},
"description" : {
"title" : "Description",
"description" : "Resource type description",
"type" : "string"
},
"patterns" : {
"title" : "Patterns",
"description" : "Resource type patterns",
"type" : "array",
"items" : {
"type" : "string"
}
},
"actions" : {
"title" : "Actions",
"description" : "Resource type actions",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject created the resource type",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the resource type. If the resource type has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the resource typ has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Cannot retrieve subject from the Resource type object * The provided resourceId does not match to the UUID in the json file |
|
Not Found error. The Resource Type could not been found. |
|
Unexpected server error happened during the process. The cause can be the following: * Invalid Json value provided in the request |
/scripts
1.1
The script resources service is responsible for managing scripts used for client-side and server-side scripted authentication, custom policy conditions, and handling OpenID Connect claims. Scripts are represented in JSON and take the following form. Scripts are built from standard JSON objects and values (strings, numbers, objects, sets, arrays, true, false, and null). Each script has a system-generated universally unique identifier (UUID), which must be used when modifying existing scripts. Renaming a script will not affect the UUID
Create
Create a script in a realm. The value for script must be in UTF-8 format and then encoded into Base64.
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "Script resource endpoint json schema",
"type" : "object",
"title" : "Script resource schema",
"properties" : {
"_id" : {
"title" : "Script unique ID",
"description" : "A unique ID for a script configuration, provided by the server",
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
},
"required" : [ "name", "description", "script", "language", "context" ]
}
| Code | Description |
|---|---|
|
Failed to decode UTF-8 encoded script |
Action: validate
Validate a script. Include a JSON representation of the script and the script language, JAVASCRIPT or GROOVY, in the POST data. The value for script must be in UTF-8 format and then encoded into Base64
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "Validate action request schema",
"type" : "object",
"title" : "Validate request schema",
"properties" : {
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
}
},
"required" : [ "script", "language" ]
}
This operation returns a response resource that conforms to the following schema:
{
"description" : "Validate action response schema",
"type" : "object",
"title" : "Validate response schema",
"properties" : {
"success" : {
"title" : "Success flag",
"description" : "True if the script validation successful",
"type" : "boolean"
},
"errors" : {
"title" : "Validation errors",
"description" : "List of validation errors",
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"line" : {
"title" : "Line number",
"description" : "Line number of the script where the script validation failed",
"type" : "integer"
},
"column" : {
"title" : "Column number",
"description" : "Column number of the script where the script validation failed",
"type" : "integer"
},
"message" : {
"title" : "Error message",
"description" : "Script validation error message",
"type" : "string"
}
},
"required" : [ "line", "column", "message" ]
}
}
},
"required" : [ "success" ]
}
| Code | Description |
|---|---|
|
A script must be specified |
|
Failed to decode UTF-8 encoded script |
|
Scripting language not supported |
Query by Filter
List all the scripts in a realm, as well as any global scripts
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Script resource endpoint json schema",
"type" : "object",
"title" : "Script resource schema",
"properties" : {
"_id" : {
"title" : "Script unique ID",
"description" : "A unique ID for a script configuration, provided by the server",
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
},
"required" : [ "name", "description", "script", "language", "context" ]
}
/scripts/{scriptId}
1.1
The script resources service is responsible for managing scripts used for client-side and server-side scripted authentication, custom policy conditions, and handling OpenID Connect claims. Scripts are represented in JSON and take the following form. Scripts are built from standard JSON objects and values (strings, numbers, objects, sets, arrays, true, false, and null). Each script has a system-generated universally unique identifier (UUID), which must be used when modifying existing scripts. Renaming a script will not affect the UUID
Create
Create a script in a realm. The value for script must be in UTF-8 format and then encoded into Base64.
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the script |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "Script resource endpoint json schema",
"type" : "object",
"title" : "Script resource schema",
"properties" : {
"_id" : {
"title" : "Script unique ID",
"description" : "A unique ID for a script configuration, provided by the server",
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
},
"required" : [ "name", "description", "script", "language", "context" ]
}
| Code | Description |
|---|---|
|
Failed to decode UTF-8 encoded script |
Read
Read an individual script in a realm by specifying the UUID parameter
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the script |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Script resource endpoint json schema",
"type" : "object",
"title" : "Script resource schema",
"properties" : {
"_id" : {
"title" : "Script unique ID",
"description" : "A unique ID for a script configuration, provided by the server",
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
},
"required" : [ "name", "description", "script", "language", "context" ]
}
| Code | Description |
|---|---|
|
Script with UUID could not be found in realm |
Update
Update an individual script in a realm specified by the UUID parameter
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the script |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "Script resource endpoint json schema",
"type" : "object",
"title" : "Script resource schema",
"properties" : {
"_id" : {
"title" : "Script unique ID",
"description" : "A unique ID for a script configuration, provided by the server",
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
},
"required" : [ "name", "description", "script", "language", "context" ]
}
| Code | Description |
|---|---|
|
A script must be specified |
|
Failed to decode UTF-8 encoded script |
|
Script name must be specified |
|
Script type must be specified |
|
Script type not recognised |
|
Scripting language must be specified |
|
Scripting language not supported |
|
Script with UUID could not be found in realm |
Delete
Delete an individual script in a realm specified by the UUID parameter
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier of the script |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Script resource endpoint json schema",
"type" : "object",
"title" : "Script resource schema",
"properties" : {
"_id" : {
"title" : "Script unique ID",
"description" : "A unique ID for a script configuration, provided by the server",
"type" : "string"
},
"name" : {
"title" : "Script name",
"description" : "The name provided for the script",
"type" : "string"
},
"description" : {
"title" : "Script description",
"description" : "An optional text string to help identify the script",
"type" : "string"
},
"script" : {
"title" : "Script",
"description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
"type" : "string"
},
"language" : {
"title" : "Script language",
"description" : "The language the script is written in - JAVASCRIPT or GROOVY",
"type" : "string"
},
"context" : {
"title" : "Script type",
"description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition AUTHENTICATION_SERVER_SIDE : Server-side Authentication AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
"type" : "string"
},
"createdBy" : {
"title" : "Created by",
"description" : "A string containing the universal identifier DN of the subject that created the script",
"type" : "string"
},
"creationDate" : {
"title" : "Creation date",
"description" : "An integer containing the creation date and time, in ISO 8601 format",
"type" : "number"
},
"lastModifiedBy" : {
"title" : "Last modifier",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last modification date",
"description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
"type" : "number"
}
},
"required" : [ "name", "description", "script", "language", "context" ]
}
| Code | Description |
|---|---|
|
Cannot find realm |
|
Default script cannot be deleted |
|
Script with UUID could not be found in realm |
|
Failed to delete script with UUID from realm |
|
The script is used multiple times |
|
The script is used once |
/selfservice/forgottenPassword
1.0
Self Service endpoint for retrieving a forgotten password
Read
Initialise the forgotten password reclamation process.A set of requirements will be returned that will need to be fulfilled and sent to the submitRequirements action.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The initial requirements from an initialised forgotten password process.",
"type" : "object",
"title" : "Structure of requirements specification.",
"properties" : {
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The type of the self service interaction."
},
"tag" : {
"type" : "string",
"title" : "Tag",
"description" : "The stage description tag."
},
"requirements" : {
"type" : "object",
"title" : "Requirements",
"description" : "A JSON Schema object that defines the input that must be submitted to the submitRequirements action.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Requirements Properties",
"description" : "Any valid JSON Schema properties may be included."
}
}
}
}
}
Action: submitRequirements
Submit some fulfilled requirements. Returns either a completion status, or a token along with some more requirements. If requirements are returned, they should be submitted with the token as a fresh request to this action.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The structure of a request to the submitRequirements action.",
"type" : "object",
"title" : "Submit requirements structure",
"properties" : {
"token" : {
"type" : "string",
"title" : "Token",
"description" : "The token returned from the previous submitRequirements request."
},
"input" : {
"type" : "object",
"title" : "Input",
"description" : "The input as collected from the user that has forgotten their password. This object must conform to the JSON Schema of the requirements property from the last response.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Input Property",
"description" : "Valid content according to the received JSON Schema."
}
}
}
},
"required" : [ "input" ]
}
This operation returns a response resource that conforms to the following schema:
{
"oneOf" : [ {
"type" : "object",
"title" : "More requirements response",
"description" : "If more requirements need fulfilling before the forgotten password process is completed, this response structure will be returned.",
"properties" : {
"token" : {
"token" : "string",
"title" : "Token",
"description" : "A token for the process that must be returned with the next set of requirements when they have been fulfilled."
},
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The type of the self service interaction."
},
"tag" : {
"type" : "string",
"title" : "Tag",
"description" : "The stage description tag."
},
"requirements" : {
"type" : "object",
"title" : "Requirements",
"description" : "A JSON Schema object that defines the input that must be submitted to the submitRequirements action.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Requirements Properties",
"description" : "Any valid JSON Schema properties may be included."
}
}
}
}
}, {
"type" : "object",
"title" : "Completed process response",
"description" : "If all the requirements have been fulfilled and the forgotten password process is complete, this response structure will be used.",
"properties" : {
"status" : {
"type" : "object",
"title" : "status.title",
"description" : "status.description",
"properties" : {
"success" : {
"token" : "string",
"title" : "status.success.title",
"description" : "status.success.description"
}
}
}
}
} ],
"$schema" : "http://json-schema.org/draft-04/schema#",
"type" : "object"
}
/selfservice/forgottenUsername
1.0
Self Service endpoint for retrieving a forgotten username
Read
Initialise the forgotten username reclamation process.A set of requirements will be returned that will need to be fulfilled and sent to the submitRequirements action.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The initial requirements from an initialised forgotten username process.",
"type" : "object",
"title" : "Structure of requirements specification.",
"properties" : {
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The type of the self service interaction."
},
"tag" : {
"type" : "string",
"title" : "Tag",
"description" : "The stage description tag."
},
"requirements" : {
"type" : "object",
"title" : "Requirements",
"description" : "A JSON Schema object that defines the input that must be submitted to the submitRequirements action.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Requirements Properties",
"description" : "Any valid JSON Schema properties may be included."
}
}
}
}
}
Action: submitRequirements
Submit some fulfilled requirements. Returns either a completion status, or a token along with some more requirements. If requirements are returned, they should be submitted with the token as a fresh request to this action.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The structure of a request to the submitRequirements action.",
"type" : "object",
"title" : "Submit requirements structure",
"properties" : {
"token" : {
"type" : "string",
"title" : "Token",
"description" : "The token returned from the previous submitRequirements request."
},
"input" : {
"type" : "object",
"title" : "Input",
"description" : "The input as collected from the user that has forgotten their username. This object must conform to the JSON Schema of the requirements property from the last response.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Input Property",
"description" : "Valid content according to the received JSON Schema."
}
}
}
},
"required" : [ "input" ]
}
This operation returns a response resource that conforms to the following schema:
{
"oneOf" : [ {
"type" : "object",
"title" : "More requirements response",
"description" : "If more requirements need fulfilling before the forgotten username process is completed, this response structure will be returned.",
"properties" : {
"token" : {
"token" : "string",
"title" : "Token",
"description" : "A token for the process that must be returned with the next set of requirements when they have been fulfilled."
},
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The type of the self service interaction."
},
"tag" : {
"type" : "string",
"title" : "Tag",
"description" : "The stage description tag."
},
"requirements" : {
"type" : "object",
"title" : "Requirements",
"description" : "A JSON Schema object that defines the input that must be submitted to the submitRequirements action.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Requirements Properties",
"description" : "Any valid JSON Schema properties may be included."
}
}
}
}
}, {
"type" : "object",
"title" : "Completed process response",
"description" : "If all the requirements have been fulfilled and the forgotten username process is complete, this response structure will be used.",
"properties" : {
"status" : {
"type" : "object",
"title" : "status.title",
"description" : "status.description",
"properties" : {
"success" : {
"token" : "string",
"title" : "status.success.title",
"description" : "status.success.description"
}
}
}
}
} ],
"$schema" : "http://json-schema.org/draft-04/schema#",
"type" : "object"
}
/selfservice/kba
1.0
KBA resource is responsible for delivering up configured security questions.
Read
Read the configured security questions.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A list of Security questions and configuration.",
"type" : "object",
"title" : "KBA Resource",
"properties" : {
"questions" : {
"type" : "object",
"title" : "Security Questions",
"description" : "A list of Security questions.",
"patternProperties" : {
".*" : {
"type" : "object",
"title" : "Unique ID",
"description" : "Unique ID for the question.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Locale and Question",
"description" : "The language local and the question."
}
}
}
}
},
"minimumAnswersToDefine" : {
"type" : "integer",
"title" : "Minimum Answers to Define",
"description" : "Number of security questions the user must provide during registration."
},
"minimumAnswersToVerify" : {
"type" : "integer",
"title" : "Minimum Answers to Verify",
"description" : "Number of security answers the user must provide during the forgotten flows."
}
},
"required" : [ "questions", "minimumAnswersToDefine", "minimumAnswersToVerify" ]
}
| Code | Description |
|---|---|
|
If an error occurs while reading the questions from the data store. |
/selfservice/userRegistration
1.0
Self Service endpoint for registering a new user
Read
Initialise the user registration process.A set of requirements will be returned that will need to be fulfilled and sent to the submitRequirements action.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The initial requirements from an initialised user registration process.",
"type" : "object",
"title" : "Structure of requirements specification.",
"properties" : {
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The type of the self service interaction."
},
"tag" : {
"type" : "string",
"title" : "Tag",
"description" : "The stage description tag."
},
"requirements" : {
"type" : "object",
"title" : "Requirements",
"description" : "A JSON Schema object that defines the input that must be submitted to the submitRequirements action.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Requirements Properties",
"description" : "Any valid JSON Schema properties may be included."
}
}
}
}
}
Action: submitRequirements
Submit some fulfilled requirements. Returns either a completion status, or a token along with some more requirements. If requirements are returned, they should be submitted with the token as a fresh request to this action.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The structure of a request to the submitRequirements action.",
"type" : "object",
"title" : "Submit requirements structure",
"properties" : {
"token" : {
"type" : "string",
"title" : "Token",
"description" : "The token returned from the previous submitRequirements request."
},
"input" : {
"type" : "object",
"title" : "Input",
"description" : "The input as collected from the new user. This object must conform to the JSON Schema of the requirements property from the last response.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Input Property",
"description" : "Valid content according to the received JSON Schema."
}
}
}
},
"required" : [ "input" ]
}
This operation returns a response resource that conforms to the following schema:
{
"oneOf" : [ {
"type" : "object",
"title" : "More requirements response",
"description" : "If more requirements need fulfilling before the user registration process is completed, this response structure will be returned.",
"properties" : {
"token" : {
"token" : "string",
"title" : "Token",
"description" : "A token for the process that must be returned with the next set of requirements when they have been fulfilled."
},
"type" : {
"type" : "string",
"title" : "Type",
"description" : "The type of the self service interaction."
},
"tag" : {
"type" : "string",
"title" : "Tag",
"description" : "The stage description tag."
},
"requirements" : {
"type" : "object",
"title" : "Requirements",
"description" : "A JSON Schema object that defines the input that must be submitted to the submitRequirements action.",
"patternProperties" : {
".*" : {
"type" : "any",
"title" : "Requirements Properties",
"description" : "Any valid JSON Schema properties may be included."
}
}
}
}
}, {
"type" : "object",
"title" : "Completed process response",
"description" : "If all the requirements have been fulfilled and the user registration process is complete, this response structure will be used.",
"properties" : {
"status" : {
"type" : "object",
"title" : "status.title",
"description" : "status.description",
"properties" : {
"success" : {
"token" : "string",
"title" : "status.success.title",
"description" : "status.success.description"
}
}
}
}
} ],
"$schema" : "http://json-schema.org/draft-04/schema#",
"type" : "object"
}
/serverinfo
1.1
Provides information about the server.
/serverinfo/version
1.0
Server Version schema
Read
It returns information about OpenAM such as: version, revision and date
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "OpenAM server version",
"type" : "object",
"title" : "Server Version",
"properties" : {
"version" : {
"type" : "string",
"title" : "Version",
"description" : "OpenAM version"
},
"fullVersion" : {
"type" : "string",
"title" : "Full Version",
"description" : "The full OpenAM version string"
},
"revision" : {
"type" : "string",
"title" : "Revision",
"description" : "Build identifier"
},
"date" : {
"type" : "string",
"title" : "Date",
"description" : "Build starting time"
}
},
"required" : [ "version", "revision", "date" ]
}
| Code | Description |
|---|---|
|
Access denied error has occurred. Causes may be one of: * The user has insufficient privileges * SSO header is missing in the request * The user has not been authenticated |
/serverinfo/{resourceId}
1.1
Provides information about the server.
Read
Read the server information.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
Server Information Identifier. |
✓ |
|
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Represents server information.",
"id" : "urn:jsonschema:org:forgerock:openam:core:rest:server:models:ServerInfo",
"type" : "object",
"title" : "Site",
"properties" : {
"domains" : {
"type" : "array",
"description" : "The list of domains into which OpenAM writes cookies.",
"title" : "Cookie domains",
"items" : {
"type" : "string"
}
},
"protectedUserAttributes" : {
"type" : "array",
"description" : "A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted.",
"title" : "Protected user attributes",
"items" : {
"type" : "string"
}
},
"cookieName" : {
"type" : "string",
"description" : "Cookie name OpenAM uses to set a session handler ID during authentication.",
"title" : "Cookie name"
},
"secureCookie" : {
"type" : "boolean",
"description" : "If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used.",
"title" : "Secure cookie"
},
"forgotPassword" : {
"type" : "string",
"description" : "True if forgotten password is enabled.",
"title" : "Forgotten password"
},
"forgotUsername" : {
"type" : "string",
"description" : "True if forgotten username is enabled.",
"title" : "Forgot username"
},
"kbaEnabled" : {
"type" : "string",
"description" : "True if security question are enabled.",
"title" : "Security questions"
},
"selfRegistration" : {
"type" : "string",
"description" : "True if self registration is enabled.",
"title" : "Self registration"
},
"lang" : {
"type" : "string",
"description" : "The locale.",
"title" : "Locale"
},
"successfulUserRegistrationDestination" : {
"type" : "string",
"description" : "URL for redirect after successful user registration.",
"title" : "Successful user registration destination"
},
"socialImplementations" : {
"type" : "array",
"description" : "List of social authentication implementations.",
"title" : "Social implementations",
"items" : {
"type" : "object",
"id" : "urn:jsonschema:org:forgerock:openam:core:rest:server:SocialAuthenticationImplementation",
"title" : "Social authentication Implementation",
"properties" : {
"iconPath" : {
"type" : "string",
"title" : "Icon path"
},
"authnChain" : {
"type" : "string",
"title" : "Authentication chain"
},
"displayName" : {
"type" : "string",
"title" : "Display name"
}
}
}
},
"referralsEnabled" : {
"type" : "string",
"description" : "If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.",
"title" : "Referrals enabled"
},
"zeroPageLogin" : {
"type" : "object",
"id" : "urn:jsonschema:com:sun:identity:authentication:client:ZeroPageLoginConfig",
"description" : "Whether zero page login is enabled.",
"title" : "Zero page login config",
"properties" : {
"enabled" : {
"type" : "boolean",
"description" : "True if Zero page login is enabled",
"title" : "Zero Page Login Enabled"
},
"refererWhitelist" : {
"type" : "array",
"items" : {
"type" : "string"
}
},
"allowedWithoutReferer" : {
"type" : "boolean"
}
}
},
"realm" : {
"type" : "string",
"description" : "The realm of the server.",
"title" : "Realm"
},
"xuiUserSessionValidationEnabled" : {
"type" : "boolean",
"description" : "True if XUI user session validation is enabled.",
"title" : "XUI user session validation enabled"
}
}
}
| Code | Description |
|---|---|
|
The given resourceId is not supported for the read operation. |
/sessions
1.2
Represents Sessions that can queried via a REST interface.
Action: deleteProperty
It deletes set of the properties.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Boolean response either true or false",
"type" : "object",
"title" : "Boolean response",
"properties" : {
"success" : {
"type" : "boolean",
"title" : "Success",
"description" : "True if operation succeeded otherwise false"
}
},
"required" : [ "success" ]
}
| Code | Description |
|---|---|
|
It happens when the header "Content-Type"="application/json" is missing in the request or request body is missing or incorrect. |
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getIdle
Using the token id specified by the invoker, it finds the token and if valid, returns the idle time in seconds or -1 if token is invalid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Session idle time response",
"type" : "object",
"title" : "Session idle time response",
"properties" : {
"idletime" : {
"type" : "integer",
"title" : "Session idle time",
"description" : "The amount of time in seconds that a stateful session has been idle"
}
},
"required" : [ "idletime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getMaxIdle
It returns number of seconds a session may be idle.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Maximum session idle time",
"type" : "object",
"title" : "Maximum session idle time",
"properties" : {
"maxidletime" : {
"type" : "integer",
"title" : "Maximum session idle time",
"description" : "Maximum session idle time in minutes"
}
},
"required" : [ "maxidletime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getMaxSessionTime
It returns maximum possible length of session in minutes.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Maximum length of session response",
"type" : "object",
"title" : "Maximum length of session response",
"properties" : {
"maxsessiontime" : {
"type" : "integer",
"title" : "Maximum length of session",
"description" : "Maximum possible length of session in minutes"
}
},
"required" : [ "maxsessiontime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getMaxTime
Using the token id specified by the invoker, finds the token and if valid, returns its remaining life in seconds. Returns jsonic representation of the number of seconds of remaining life, or a representation of -1 if invalid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Remaining session time response",
"type" : "object",
"title" : "Remaining session time response",
"properties" : {
"maxtime" : {
"type" : "integer",
"title" : "Remaining session time",
"description" : "Remaining session time in seconds"
}
},
"required" : [ "maxtime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getProperty
If a field is requested, returns only that field. If no field is specified, returns the key/value of all whitelisted fields.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Property",
"description" : "Property"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names and values",
"type" : "object",
"title" : "List of properties"
}
| Code | Description |
|---|---|
|
It happens when the header "Content-Type"="application/json" is missing in the request. |
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getPropertyNames
It returns all whitelisted session properties.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getTimeLeft
Using the token id specified by the invoker, finds the token and if valid, returns its remaining life in seconds. Returns jsonic representation of the number of seconds of remaining life, or a representation of -1 if invalid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Remaining session time response",
"type" : "object",
"title" : "Remaining session time response",
"properties" : {
"maxtime" : {
"type" : "integer",
"title" : "Remaining session time",
"description" : "Remaining session time in seconds"
}
},
"required" : [ "maxtime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: isActive
It figures whether the token id, which has been passed as an argument to the REST call is valid and optionally refreshes it. This is different from validateSession because this, rather inconveniently, requires you to be logged in as admin before this can be invoked. Return a jsonic 'true' or 'false' depending on whether the token is valid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Is session active response",
"type" : "object",
"title" : "Is session active response",
"properties" : {
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True is the session is active, false otherwise"
}
},
"required" : [ "active" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: logout
It does logout from OpenAM
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Logout response",
"type" : "object",
"title" : "Logout response",
"properties" : {
"result" : {
"type" : "string",
"title" : "Result",
"description" : "Logout result"
}
},
"required" : [ "result" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: setProperty
It sets set of the properties.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Property",
"description" : "Property"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names and values",
"type" : "object",
"title" : "List of properties"
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Boolean response either true or false",
"type" : "object",
"title" : "Boolean response",
"properties" : {
"success" : {
"type" : "boolean",
"title" : "Success",
"description" : "True if operation succeeded otherwise false"
}
},
"required" : [ "success" ]
}
| Code | Description |
|---|---|
|
It happens when the header "Content-Type"="application/json" is missing in the request. |
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
|
It happens when type of the property to be set is not string. |
Action: validate
It checks that the specified SSO Token Id is valid or not. If there is any problem getting or validating the token which causes an exception the json response will be false. In addition if the token is expired then the json response will be set to false. Otherwise it will be set to true.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Validate session response",
"type" : "object",
"title" : "Validate session response",
"properties" : {
"valid" : {
"type" : "boolean",
"title" : "Valid",
"description" : "True if the session is valid, false otherwise"
},
"uid" : {
"type" : "string",
"title" : "User",
"description" : "User id"
},
"realm" : {
"type" : "string",
"title" : "Realm",
"description" : "Realm"
}
},
"required" : [ "valid", "uid", "realm" ]
}
Query by ID: all
It queries all Sessions across all servers. This may not function correctly on systems with a large number of active sessions due to constraints on the size of result sets that may be returned from certain queries. For example, OpenDJ would perform this as an unindexed search and has a maximum limit of results that unindexed searches may return. It is deprecated in favour of later versions of this endpoint’s query support.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Session schema",
"type" : "object",
"title" : "Session",
"properties" : {
"timeleft" : {
"type" : "integer",
"title" : "Time Left",
"description" : "Time in seconds when the session is active"
},
"userid" : {
"type" : "string",
"title" : "User Id",
"description" : "Identifier of the session owner"
}
},
"required" : [ "timeleft", "userid" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
2.1
Represents Sessions that can queried via a REST interface.
Action: getSessionInfo
It reads and returns the information about the requested session.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Session schema",
"id" : "urn:jsonschema:org:forgerock:openam:dpro:session:PartialSession",
"type" : "object",
"title" : "Session",
"properties" : {
"username" : {
"type" : "string",
"description" : "The user friendly version of the username.",
"title" : "Username"
},
"universalId" : {
"type" : "string",
"description" : "The universal ID used by OpenAM to uniquely identify the identity",
"title" : "Universal ID"
},
"realm" : {
"type" : "string",
"description" : "The realm in user friendly slash (/) separated format.",
"title" : "Realm"
},
"sessionHandle" : {
"type" : "string",
"description" : "The session handle that can be used to invalidate the session.",
"title" : "Session Handle"
},
"latestAccessTime" : {
"type" : "string",
"description" : "The timestamp of when the session was last used.",
"title" : "Latest Access Time"
},
"maxIdleExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out due to no activity.",
"title" : "Max Idle Expiration Time"
},
"maxSessionExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out regardless of activity.",
"title" : "Max Session Expiration Time"
}
}
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getSessionProperties
It reads and returns all of the whitelisted properties for the requested session.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: logout
It does logout from OpenAM
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: logoutByHandle
It logs out sessions based on the provided session handles.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Logout By Handle request",
"type" : "object",
"title" : "Logout By Handle request",
"properties" : {
"sessionHandles" : {
"title" : "Session handles",
"description" : "The array of session handles that needs to be invalidated.",
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"required" : [ "sessionHandles" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Logout By Handle response",
"type" : "object",
"title" : "Logout By Handle response",
"properties" : {
"result" : {
"title" : "Result",
"description" : "Logout result. The key is the session handle, the value is whether the logout was successful.",
"type" : "object",
"patternProperties" : {
"shandle:.+" : {
"type" : "boolean"
}
}
}
},
"required" : [ "result" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: refresh
Suggests to OpenAM that it should refresh this session (update it’s latest access time and reset its idleTime to 0). This will only be obeyed if the time between the session’s previous latest access time and now is greater than the value configured for the server’s Latest Access Time Update Frequency setting, which defaults to 60 seconds.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: updateSessionProperties
It updates and returns all of the whitelisted properties for the requested session.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: validate
It checks that the specified SSO Token Id is valid or not. If there is any problem getting or validating the token which causes an exception the json response will be false. In addition if the token is expired then the json response will be set to false. Otherwise it will be set to true.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Validate session response",
"type" : "object",
"title" : "Validate session response",
"properties" : {
"valid" : {
"type" : "boolean",
"title" : "Valid",
"description" : "True if the session is valid, false otherwise"
},
"uid" : {
"type" : "string",
"title" : "User",
"description" : "User id"
},
"realm" : {
"type" : "string",
"title" : "Realm",
"description" : "Realm"
}
},
"required" : [ "valid", "uid", "realm" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Query by Filter
It queries all sessions using the provided query filter.
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Session schema",
"id" : "urn:jsonschema:org:forgerock:openam:dpro:session:PartialSession",
"type" : "object",
"title" : "Session",
"properties" : {
"username" : {
"type" : "string",
"description" : "The user friendly version of the username.",
"title" : "Username"
},
"universalId" : {
"type" : "string",
"description" : "The universal ID used by OpenAM to uniquely identify the identity",
"title" : "Universal ID"
},
"realm" : {
"type" : "string",
"description" : "The realm in user friendly slash (/) separated format.",
"title" : "Realm"
},
"sessionHandle" : {
"type" : "string",
"description" : "The session handle that can be used to invalidate the session.",
"title" : "Session Handle"
},
"latestAccessTime" : {
"type" : "string",
"description" : "The timestamp of when the session was last used.",
"title" : "Latest Access Time"
},
"maxIdleExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out due to no activity.",
"title" : "Max Idle Expiration Time"
},
"maxSessionExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out regardless of activity.",
"title" : "Max Session Expiration Time"
}
}
}
| Code | Description |
|---|---|
|
It happens when the provided query filter does not specify the realm. |
|
Unexpected server error happened during the process. |
3.1
Represents Sessions that can queried via a REST interface.
Action: getSessionInfo
It reads and returns the information about the requested session.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Action request",
"title" : "Action request",
"type" : "object",
"properties" : {
"tokenId" : {
"title" : "The tokenId",
"description" : "The tokenId of the user you requests information for",
"type" : "string"
}
},
"required" : [ "tokenId" ]
}
This operation returns a response resource that conforms to the following schema:
{
"description" : "Session schema",
"id" : "urn:jsonschema:org:forgerock:openam:dpro:session:PartialSession",
"type" : "object",
"title" : "Session",
"properties" : {
"username" : {
"type" : "string",
"description" : "The user friendly version of the username.",
"title" : "Username"
},
"universalId" : {
"type" : "string",
"description" : "The universal ID used by OpenAM to uniquely identify the identity",
"title" : "Universal ID"
},
"realm" : {
"type" : "string",
"description" : "The realm in user friendly slash (/) separated format.",
"title" : "Realm"
},
"sessionHandle" : {
"type" : "string",
"description" : "The session handle that can be used to invalidate the session.",
"title" : "Session Handle"
},
"latestAccessTime" : {
"type" : "string",
"description" : "The timestamp of when the session was last used.",
"title" : "Latest Access Time"
},
"maxIdleExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out due to no activity.",
"title" : "Max Idle Expiration Time"
},
"maxSessionExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out regardless of activity.",
"title" : "Max Session Expiration Time"
}
}
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getSessionProperties
It reads and returns all of the whitelisted properties for the requested session.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Action request",
"title" : "Action request",
"type" : "object",
"properties" : {
"tokenId" : {
"title" : "The tokenId",
"description" : "The tokenId of the user you requests information for",
"type" : "string"
}
},
"required" : [ "tokenId" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: logout
It does logout from OpenAM
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Action request",
"title" : "Action request",
"type" : "object",
"properties" : {
"tokenId" : {
"title" : "The tokenId",
"description" : "The tokenId of the user you requests information for",
"type" : "string"
}
},
"required" : [ "tokenId" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: logoutByHandle
It logs out sessions based on the provided session handles.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Logout By Handle request",
"type" : "object",
"title" : "Logout By Handle request",
"properties" : {
"sessionHandles" : {
"title" : "Session handles",
"description" : "The array of session handles that needs to be invalidated.",
"type" : "array",
"items" : {
"type" : "string"
}
}
},
"required" : [ "sessionHandles" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Logout By Handle response",
"type" : "object",
"title" : "Logout By Handle response",
"properties" : {
"result" : {
"title" : "Result",
"description" : "Logout result. The key is the session handle, the value is whether the logout was successful.",
"type" : "object",
"patternProperties" : {
"shandle:.+" : {
"type" : "boolean"
}
}
}
},
"required" : [ "result" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: refresh
Suggests to OpenAM that it should refresh this session (update it’s latest access time and reset its idleTime to 0). This will only be obeyed if the time between the session’s previous latest access time and now is greater than the value configured for the server’s Latest Access Time Update Frequency setting, which defaults to 60 seconds.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Action request",
"title" : "Action request",
"type" : "object",
"properties" : {
"tokenId" : {
"title" : "The tokenId",
"description" : "The tokenId of the user you requests information for",
"type" : "string"
}
},
"required" : [ "tokenId" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: updateSessionProperties
It updates and returns all of the whitelisted properties for the requested session.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Action request",
"title" : "Action request",
"type" : "object",
"properties" : {
"tokenId" : {
"title" : "The tokenId",
"description" : "The tokenId of the user you requests information for",
"type" : "string"
}
},
"required" : [ "tokenId" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: validate
It checks that the specified SSO Token Id is valid or not. If there is any problem getting or validating the token which causes an exception the json response will be false. In addition if the token is expired then the json response will be set to false. Otherwise it will be set to true.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Action request",
"title" : "Action request",
"type" : "object",
"properties" : {
"tokenId" : {
"title" : "The tokenId",
"description" : "The tokenId of the user you requests information for",
"type" : "string"
}
},
"required" : [ "tokenId" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Validate session response",
"type" : "object",
"title" : "Validate session response",
"properties" : {
"valid" : {
"type" : "boolean",
"title" : "Valid",
"description" : "True if the session is valid, false otherwise"
},
"uid" : {
"type" : "string",
"title" : "User",
"description" : "User id"
},
"realm" : {
"type" : "string",
"title" : "Realm",
"description" : "Realm"
}
},
"required" : [ "valid", "uid", "realm" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Query by Filter
It queries all sessions using the provided query filter.
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Session schema",
"id" : "urn:jsonschema:org:forgerock:openam:dpro:session:PartialSession",
"type" : "object",
"title" : "Session",
"properties" : {
"username" : {
"type" : "string",
"description" : "The user friendly version of the username.",
"title" : "Username"
},
"universalId" : {
"type" : "string",
"description" : "The universal ID used by OpenAM to uniquely identify the identity",
"title" : "Universal ID"
},
"realm" : {
"type" : "string",
"description" : "The realm in user friendly slash (/) separated format.",
"title" : "Realm"
},
"sessionHandle" : {
"type" : "string",
"description" : "The session handle that can be used to invalidate the session.",
"title" : "Session Handle"
},
"latestAccessTime" : {
"type" : "string",
"description" : "The timestamp of when the session was last used.",
"title" : "Latest Access Time"
},
"maxIdleExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out due to no activity.",
"title" : "Max Idle Expiration Time"
},
"maxSessionExpirationTime" : {
"type" : "string",
"description" : "The timestamp of when the session would time out regardless of activity.",
"title" : "Max Session Expiration Time"
}
}
}
| Code | Description |
|---|---|
|
It happens when the provided query filter does not specify the realm. |
|
Unexpected server error happened during the process. |
/sessions/{userToken}
1.2
Represents Sessions that can queried via a REST interface.
Action: deleteProperty
It deletes set of the properties.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Boolean response either true or false",
"type" : "object",
"title" : "Boolean response",
"properties" : {
"success" : {
"type" : "boolean",
"title" : "Success",
"description" : "True if operation succeeded otherwise false"
}
},
"required" : [ "success" ]
}
| Code | Description |
|---|---|
|
It happens when the header "Content-Type"="application/json" is missing in the request or request body is missing or incorrect. |
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getIdle
Using the token id specified by the invoker, it finds the token and if valid, returns the idle time in seconds or -1 if token is invalid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Session idle time response",
"type" : "object",
"title" : "Session idle time response",
"properties" : {
"idletime" : {
"type" : "integer",
"title" : "Session idle time",
"description" : "The amount of time in seconds that a stateful session has been idle"
}
},
"required" : [ "idletime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getMaxIdle
It returns number of seconds a session may be idle.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Maximum session idle time",
"type" : "object",
"title" : "Maximum session idle time",
"properties" : {
"maxidletime" : {
"type" : "integer",
"title" : "Maximum session idle time",
"description" : "Maximum session idle time in minutes"
}
},
"required" : [ "maxidletime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getMaxSessionTime
It returns maximum possible length of session in minutes.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Maximum length of session response",
"type" : "object",
"title" : "Maximum length of session response",
"properties" : {
"maxsessiontime" : {
"type" : "integer",
"title" : "Maximum length of session",
"description" : "Maximum possible length of session in minutes"
}
},
"required" : [ "maxsessiontime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getMaxTime
Using the token id specified by the invoker, finds the token and if valid, returns its remaining life in seconds. Returns jsonic representation of the number of seconds of remaining life, or a representation of -1 if invalid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Remaining session time response",
"type" : "object",
"title" : "Remaining session time response",
"properties" : {
"maxtime" : {
"type" : "integer",
"title" : "Remaining session time",
"description" : "Remaining session time in seconds"
}
},
"required" : [ "maxtime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getProperty
If a field is requested, returns only that field. If no field is specified, returns the key/value of all whitelisted fields.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
This operation returns a response resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Property",
"description" : "Property"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names and values",
"type" : "object",
"title" : "List of properties"
}
| Code | Description |
|---|---|
|
It happens when the header "Content-Type"="application/json" is missing in the request. |
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getPropertyNames
It returns all whitelisted session properties.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names",
"type" : "object",
"title" : "List of properties",
"properties" : {
"properties" : {
"type" : "array",
"items" : {
"type" : "string",
"title" : "Property name",
"description" : "Property name"
}
}
},
"required" : [ "properties" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: getTimeLeft
Using the token id specified by the invoker, finds the token and if valid, returns its remaining life in seconds. Returns jsonic representation of the number of seconds of remaining life, or a representation of -1 if invalid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Remaining session time response",
"type" : "object",
"title" : "Remaining session time response",
"properties" : {
"maxtime" : {
"type" : "integer",
"title" : "Remaining session time",
"description" : "Remaining session time in seconds"
}
},
"required" : [ "maxtime" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: isActive
It figures whether the token id, which has been passed as an argument to the REST call is valid and optionally refreshes it. This is different from validateSession because this, rather inconveniently, requires you to be logged in as admin before this can be invoked. Return a jsonic 'true' or 'false' depending on whether the token is valid.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Is session active response",
"type" : "object",
"title" : "Is session active response",
"properties" : {
"active" : {
"type" : "boolean",
"title" : "Active",
"description" : "True is the session is active, false otherwise"
}
},
"required" : [ "active" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: logout
It does logout from OpenAM
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Logout response",
"type" : "object",
"title" : "Logout response",
"properties" : {
"result" : {
"type" : "string",
"title" : "Result",
"description" : "Logout result"
}
},
"required" : [ "result" ]
}
| Code | Description |
|---|---|
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
Action: setProperty
It sets set of the properties.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"patternProperties" : {
".+" : {
"type" : "string",
"title" : "Property",
"description" : "Property"
}
},
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "List of session properties names and values",
"type" : "object",
"title" : "List of properties"
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Boolean response either true or false",
"type" : "object",
"title" : "Boolean response",
"properties" : {
"success" : {
"type" : "boolean",
"title" : "Success",
"description" : "True if operation succeeded otherwise false"
}
},
"required" : [ "success" ]
}
| Code | Description |
|---|---|
|
It happens when the header "Content-Type"="application/json" is missing in the request. |
|
It happens when when the SSO header is missing in the request or user token is not valid or user is not the admin. |
|
It happens when type of the property to be set is not string. |
Action: validate
It checks that the specified SSO Token Id is valid or not. If there is any problem getting or validating the token which causes an exception the json response will be false. In addition if the token is expired then the json response will be set to false. Otherwise it will be set to true.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user session token id |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Validate session response",
"type" : "object",
"title" : "Validate session response",
"properties" : {
"valid" : {
"type" : "boolean",
"title" : "Valid",
"description" : "True if the session is valid, false otherwise"
},
"uid" : {
"type" : "string",
"title" : "User",
"description" : "User id"
},
"realm" : {
"type" : "string",
"title" : "Realm",
"description" : "Realm"
}
},
"required" : [ "valid", "uid", "realm" ]
}
/subjectattributes
1.0
Service for querying subject attributes stored in OpenAM. When you define a policy subject condition, the condition can depend on values of subject attributes stored in a user’s profile. The list of possible subject attributes that you can use depends on the LDAP User Attributes configured for the Identity data store where OpenAM looks up the user’s profile
Query by Filter
Query the list of subject attributes stored in OpenAM
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Subject attributes schema containing an array of subject attribute items",
"title" : "Subject attributes schema",
"type" : "string"
}
| Code | Description |
|---|---|
|
Bad request error. Unknown Subject |
|
Internal server error. Unable to query available subject attribute names. |
/subjecttypes
1.0
Service for querying and reading the subject types stored in OpenAM. Subject condition types describe the JSON representation of subject conditions that you can use in policy definitions
Query by Filter
Query the list of subject condition types
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Subject types schema",
"title" : "Subject types schema",
"type" : "object",
"properties" : {
"title" : {
"title" : "Title",
"description" : "The title and also the unique identifier of the subject condition type",
"type" : "string"
},
"logical" : {
"title" : "Logical",
"description" : "Indicates whether the type is a logical operator or takes a predicate, and a configuration specification",
"type" : "boolean"
},
"config" : {
"title" : "Configuration",
"description" : "The configuration specification that describes the subject condition type's Json schema",
"type" : "object"
}
}
}
/subjecttypes/{resourceId}
1.0
Service for querying and reading the subject types stored in OpenAM. Subject condition types describe the JSON representation of subject conditions that you can use in policy definitions
Read
Read an individual subject condition type by providing the unique identifier title
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The unique identifier title of subject condition type |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Subject types schema",
"title" : "Subject types schema",
"type" : "object",
"properties" : {
"title" : {
"title" : "Title",
"description" : "The title and also the unique identifier of the subject condition type",
"type" : "string"
},
"logical" : {
"title" : "Logical",
"description" : "Indicates whether the type is a logical operator or takes a predicate, and a configuration specification",
"type" : "boolean"
},
"config" : {
"title" : "Configuration",
"description" : "The configuration specification that describes the subject condition type's Json schema",
"type" : "object"
}
}
}
| Code | Description |
|---|---|
|
Not found error. Requested subject short name not found |
/users/{user}/devices/2fa/oath
1.0
The Oath devices service is responsible for exposing functions to change the collection of OATH authentication devices. The supported methods are action, delete, query
Action: check
Checks if the user’s Authenticator OATH module is 'skippable' and returns the result as a boolean
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "OATH user device check action request schema",
"type" : "object",
"title" : "OATH user device check action request schema"
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "OATH user device check action response schema",
"type" : "object",
"title" : "OATH user device check action response schema",
"properties" : {
"result" : {
"type" : "boolean",
"title" : "Check OATH user device action response",
"description" : "True if the user's authenticator OATH module is 'skippable'"
}
},
"required" : [ "result" ]
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
Action: reset
Sets the user’s 'skippable' selection of Authenticator OATH module to default (NOT_SET) and deletes their profiles attribute
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "OATH user device reset action request schema",
"type" : "object",
"title" : "OATH user device reset action request schema"
}
This operation returns a response resource that conforms to the following schema:
{
"description" : "OATH user device reset action response schema",
"type" : "object",
"title" : "OATH user device reset action response schema",
"properties" : {
"result" : {
"constant" : true,
"title" : "Reset OATH device action response",
"description" : "Constant true if the reset action was successful or error thrown",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
Action: skip
Sets the user’s ability to skip an Authenticator OATH module
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "OATH user device skip action request schema",
"type" : "object",
"title" : "OATH user device skip action request schema",
"properties" : {
"value" : {
"type" : "boolean",
"title" : "Skip OATH module response value",
"description" : "True if the OATH device is set to skipped"
}
},
"required" : [ "value" ]
}
This operation returns a response resource that conforms to the following schema:
{
"description" : "OATH user device skip action response schema",
"additionalProperties" : {
"type" : "object"
},
"type" : "object",
"title" : "OATH user device skip action response schema"
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
Query by Filter
Query the user’s device profile
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "User devices schema that is used for push authentication devices, trusted user devices and OATH user devices",
"type" : "object",
"title" : "User devices schema",
"properties" : {
"lastSelectedDate" : {
"type" : "string",
"title" : "Last selected date",
"description" : "Date when the device was selected last time"
},
"devicePrint" : {
"type" : "object",
"properties" : {
"screen" : {
"type" : "object",
"title" : "Device screen properties",
"description" : "Device screen properties",
"properties" : {
"screenWidth" : {
"type" : "integer",
"title" : "Screen width",
"description" : "Devices screen width"
},
"screenHeight" : {
"type" : "integer",
"title" : "Screen height",
"description" : "Device screen height"
},
"screenColourDepth" : {
"type" : "integer",
"title" : "Screen colour depth",
"description" : "Device screen colour depth"
}
}
},
"timezone" : {
"type" : "object",
"properties" : {
"timezone" : {
"type" : "integer",
"title" : "Timezone",
"description" : "Timezone used by the device"
}
}
},
"plugins" : {
"type" : "object",
"properties" : {
"installedPlugins" : {
"type" : "string",
"title" : "Installed plugins",
"description" : "Installed plugins on the device"
}
}
},
"fonts" : {
"type" : "object",
"properties" : {
"installedFonts" : {
"type" : "string",
"title" : "Installed fonts",
"description" : "Installed fonts on the device"
}
}
},
"userAgent" : {
"type" : "string",
"title" : "User agent",
"description" : "User Agent"
},
"appName" : {
"type" : "string",
"title" : "Application name",
"description" : "Application name"
},
"appCodeName" : {
"type" : "string",
"title" : "Application code name",
"description" : "Application code name"
},
"appVersion" : {
"type" : "string",
"title" : "Application version",
"description" : "Application version"
},
"buildID" : {
"type" : "string",
"title" : "Build ID",
"description" : "Application build ID"
},
"platform" : {
"type" : "string",
"title" : "Platform",
"description" : "Device platform"
},
"oscpu" : {
"type" : "string",
"title" : "OSCPU",
"description" : "String that identifies the current operating system"
},
"product" : {
"type" : "string",
"title" : "Product",
"description" : "Product"
},
"productSub" : {
"type" : "string",
"title" : "Product sub",
"description" : "Product sub"
},
"language" : {
"type" : "string",
"title" : "Language",
"description" : "Device default language"
},
"geolocation" : {
"type" : "object",
"title" : "Geolocation",
"description" : "Device physical location",
"properties" : {
"longitude" : {
"type" : "number",
"title" : "Longitude",
"description" : "Longitude"
},
"latitude" : {
"type" : "number",
"title" : "Latitude",
"description" : "Latitude"
}
}
}
}
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Device name"
},
"selectionCounter" : {
"type" : "integer",
"title" : "Selection counter",
"description" : "Selection counter"
},
"uuid" : {
"type" : "string",
"title" : "Device id",
"description" : "Device unique identifier"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
/users/{user}/devices/2fa/oath/{uuid}
1.0
The Oath devices service is responsible for exposing functions to change the collection of OATH authentication devices. The supported methods are action, delete, query
Delete
Delete OATH user device
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The unique identifier of the OATH authentication user device |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "User devices schema that is used for push authentication devices, trusted user devices and OATH user devices",
"type" : "object",
"title" : "User devices schema",
"properties" : {
"lastSelectedDate" : {
"type" : "string",
"title" : "Last selected date",
"description" : "Date when the device was selected last time"
},
"devicePrint" : {
"type" : "object",
"properties" : {
"screen" : {
"type" : "object",
"title" : "Device screen properties",
"description" : "Device screen properties",
"properties" : {
"screenWidth" : {
"type" : "integer",
"title" : "Screen width",
"description" : "Devices screen width"
},
"screenHeight" : {
"type" : "integer",
"title" : "Screen height",
"description" : "Device screen height"
},
"screenColourDepth" : {
"type" : "integer",
"title" : "Screen colour depth",
"description" : "Device screen colour depth"
}
}
},
"timezone" : {
"type" : "object",
"properties" : {
"timezone" : {
"type" : "integer",
"title" : "Timezone",
"description" : "Timezone used by the device"
}
}
},
"plugins" : {
"type" : "object",
"properties" : {
"installedPlugins" : {
"type" : "string",
"title" : "Installed plugins",
"description" : "Installed plugins on the device"
}
}
},
"fonts" : {
"type" : "object",
"properties" : {
"installedFonts" : {
"type" : "string",
"title" : "Installed fonts",
"description" : "Installed fonts on the device"
}
}
},
"userAgent" : {
"type" : "string",
"title" : "User agent",
"description" : "User Agent"
},
"appName" : {
"type" : "string",
"title" : "Application name",
"description" : "Application name"
},
"appCodeName" : {
"type" : "string",
"title" : "Application code name",
"description" : "Application code name"
},
"appVersion" : {
"type" : "string",
"title" : "Application version",
"description" : "Application version"
},
"buildID" : {
"type" : "string",
"title" : "Build ID",
"description" : "Application build ID"
},
"platform" : {
"type" : "string",
"title" : "Platform",
"description" : "Device platform"
},
"oscpu" : {
"type" : "string",
"title" : "OSCPU",
"description" : "String that identifies the current operating system"
},
"product" : {
"type" : "string",
"title" : "Product",
"description" : "Product"
},
"productSub" : {
"type" : "string",
"title" : "Product sub",
"description" : "Product sub"
},
"language" : {
"type" : "string",
"title" : "Language",
"description" : "Device default language"
},
"geolocation" : {
"type" : "object",
"title" : "Geolocation",
"description" : "Device physical location",
"properties" : {
"longitude" : {
"type" : "number",
"title" : "Longitude",
"description" : "Longitude"
},
"latitude" : {
"type" : "number",
"title" : "Latitude",
"description" : "Latitude"
}
}
}
}
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Device name"
},
"selectionCounter" : {
"type" : "integer",
"title" : "Selection counter",
"description" : "Selection counter"
},
"uuid" : {
"type" : "string",
"title" : "Device id",
"description" : "Device unique identifier"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
/users/{user}/devices/2fa/push
1.0
The Push devices service is responsible for exposing functions to change the collection of Push authentication devices. The supported methods are action, delete, query
Action: check
Checks if the user’s Authenticator Push module is 'skippable' and returns the result as a boolean
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Push user device check action request schema",
"type" : "object",
"title" : "Push user device check action request schema"
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Push user device check action response schema",
"type" : "object",
"title" : "Push user device check action response schema",
"properties" : {
"result" : {
"type" : "boolean",
"title" : "Check push user device action response",
"description" : "True if the user's authenticator push module is 'skippable'"
}
},
"required" : [ "result" ]
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
Action: reset
Sets the user’s 'skippable' selection of Authenticator Push module to default (NOT_SET) and deletes their profile’s attribute
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "Push user device reset action request schema",
"type" : "object",
"title" : "Push user device reset action request schema"
}
This operation returns a response resource that conforms to the following schema:
{
"description" : "Push user device reset action response schema",
"type" : "object",
"title" : "Push user device reset action response schema",
"properties" : {
"result" : {
"constant" : true,
"title" : "Reset push device action response",
"description" : "Constant true if the reset action was successful or error thrown",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
Action: skip
Sets the user’s ability to skip an Authenticator Push module
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"description" : "Push user device skip action request schema",
"type" : "object",
"title" : "Push user device skip action request schema",
"properties" : {
"value" : {
"type" : "boolean",
"title" : "Skip push module response value",
"description" : "True if the push device is set to skipped"
}
},
"required" : [ "value" ]
}
This operation returns a response resource that conforms to the following schema:
{
"description" : "Push user device skip action response schema",
"additionalProperties" : {
"type" : "object"
},
"type" : "object",
"title" : "Push user device skip action response schema"
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
Query by Filter
Query the user’s device profile
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "User devices schema that is used for push authentication devices, trusted user devices and oath user devices",
"type" : "object",
"title" : "User devices schema",
"properties" : {
"lastSelectedDate" : {
"type" : "string",
"title" : "Last selected date",
"description" : "Date when the device was selected last time"
},
"devicePrint" : {
"type" : "object",
"properties" : {
"screen" : {
"type" : "object",
"title" : "Device screen properties",
"description" : "Device screen properties",
"properties" : {
"screenWidth" : {
"type" : "integer",
"title" : "Screen width",
"description" : "Devices screen width"
},
"screenHeight" : {
"type" : "integer",
"title" : "Screen height",
"description" : "Device screen height"
},
"screenColourDepth" : {
"type" : "integer",
"title" : "Screen colour depth",
"description" : "Device screen colour depth"
}
}
},
"timezone" : {
"type" : "object",
"properties" : {
"timezone" : {
"type" : "integer",
"title" : "Timezone",
"description" : "Timezone used by the device"
}
}
},
"plugins" : {
"type" : "object",
"properties" : {
"installedPlugins" : {
"type" : "string",
"title" : "Installed plugins",
"description" : "Installed plugins on the device"
}
}
},
"fonts" : {
"type" : "object",
"properties" : {
"installedFonts" : {
"type" : "string",
"title" : "Installed fonts",
"description" : "Installed fonts on the device"
}
}
},
"userAgent" : {
"type" : "string",
"title" : "User agent",
"description" : "User Agent"
},
"appName" : {
"type" : "string",
"title" : "Application name",
"description" : "Application name"
},
"appCodeName" : {
"type" : "string",
"title" : "Application code name",
"description" : "Application code name"
},
"appVersion" : {
"type" : "string",
"title" : "Application version",
"description" : "Application version"
},
"buildID" : {
"type" : "string",
"title" : "Build ID",
"description" : "Application build ID"
},
"platform" : {
"type" : "string",
"title" : "Platform",
"description" : "Device platform"
},
"oscpu" : {
"type" : "string",
"title" : "OSCPU",
"description" : "String that identifies the current operating system"
},
"product" : {
"type" : "string",
"title" : "Product",
"description" : "Product"
},
"productSub" : {
"type" : "string",
"title" : "Product sub",
"description" : "Product sub"
},
"language" : {
"type" : "string",
"title" : "Language",
"description" : "Device default language"
},
"geolocation" : {
"type" : "object",
"title" : "Geolocation",
"description" : "Device physical location",
"properties" : {
"longitude" : {
"type" : "number",
"title" : "Longitude",
"description" : "Longitude"
},
"latitude" : {
"type" : "number",
"title" : "Latitude",
"description" : "Latitude"
}
}
}
}
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Device name"
},
"selectionCounter" : {
"type" : "integer",
"title" : "Selection counter",
"description" : "Selection counter"
},
"uuid" : {
"type" : "string",
"title" : "Device id",
"description" : "Device unique identifier"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
/users/{user}/devices/2fa/push/{uuid}
1.0
The Push devices service is responsible for exposing functions to change the collection of Push authentication devices. The supported methods are action, delete, query
Delete
Delete Push user device
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The unique identifier of the Push authentication user device |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "User devices schema that is used for push authentication devices, trusted user devices and oath user devices",
"type" : "object",
"title" : "User devices schema",
"properties" : {
"lastSelectedDate" : {
"type" : "string",
"title" : "Last selected date",
"description" : "Date when the device was selected last time"
},
"devicePrint" : {
"type" : "object",
"properties" : {
"screen" : {
"type" : "object",
"title" : "Device screen properties",
"description" : "Device screen properties",
"properties" : {
"screenWidth" : {
"type" : "integer",
"title" : "Screen width",
"description" : "Devices screen width"
},
"screenHeight" : {
"type" : "integer",
"title" : "Screen height",
"description" : "Device screen height"
},
"screenColourDepth" : {
"type" : "integer",
"title" : "Screen colour depth",
"description" : "Device screen colour depth"
}
}
},
"timezone" : {
"type" : "object",
"properties" : {
"timezone" : {
"type" : "integer",
"title" : "Timezone",
"description" : "Timezone used by the device"
}
}
},
"plugins" : {
"type" : "object",
"properties" : {
"installedPlugins" : {
"type" : "string",
"title" : "Installed plugins",
"description" : "Installed plugins on the device"
}
}
},
"fonts" : {
"type" : "object",
"properties" : {
"installedFonts" : {
"type" : "string",
"title" : "Installed fonts",
"description" : "Installed fonts on the device"
}
}
},
"userAgent" : {
"type" : "string",
"title" : "User agent",
"description" : "User Agent"
},
"appName" : {
"type" : "string",
"title" : "Application name",
"description" : "Application name"
},
"appCodeName" : {
"type" : "string",
"title" : "Application code name",
"description" : "Application code name"
},
"appVersion" : {
"type" : "string",
"title" : "Application version",
"description" : "Application version"
},
"buildID" : {
"type" : "string",
"title" : "Build ID",
"description" : "Application build ID"
},
"platform" : {
"type" : "string",
"title" : "Platform",
"description" : "Device platform"
},
"oscpu" : {
"type" : "string",
"title" : "OSCPU",
"description" : "String that identifies the current operating system"
},
"product" : {
"type" : "string",
"title" : "Product",
"description" : "Product"
},
"productSub" : {
"type" : "string",
"title" : "Product sub",
"description" : "Product sub"
},
"language" : {
"type" : "string",
"title" : "Language",
"description" : "Device default language"
},
"geolocation" : {
"type" : "object",
"title" : "Geolocation",
"description" : "Device physical location",
"properties" : {
"longitude" : {
"type" : "number",
"title" : "Longitude",
"description" : "Longitude"
},
"latitude" : {
"type" : "number",
"title" : "Latitude",
"description" : "Latitude"
}
}
}
}
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Device name"
},
"selectionCounter" : {
"type" : "integer",
"title" : "Selection counter",
"description" : "Selection counter"
},
"uuid" : {
"type" : "string",
"title" : "Device id",
"description" : "Device unique identifier"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
/users/{user}/devices/trusted
1.0
Trusted devices service is responsible for querying and deleting trusted devices.
Query by Filter
Query trusted user devices
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "User devices schema that is used for push authentication devices, trusted user devices and OATH user devices",
"type" : "object",
"title" : "User devices schema",
"properties" : {
"lastSelectedDate" : {
"type" : "string",
"title" : "Last selected date",
"description" : "Date when the device was selected last time"
},
"devicePrint" : {
"type" : "object",
"properties" : {
"screen" : {
"type" : "object",
"title" : "Device screen properties",
"description" : "Device screen properties",
"properties" : {
"screenWidth" : {
"type" : "integer",
"title" : "Screen width",
"description" : "Devices screen width"
},
"screenHeight" : {
"type" : "integer",
"title" : "Screen height",
"description" : "Device screen height"
},
"screenColourDepth" : {
"type" : "integer",
"title" : "Screen colour depth",
"description" : "Device screen colour depth"
}
}
},
"timezone" : {
"type" : "object",
"properties" : {
"timezone" : {
"type" : "integer",
"title" : "Timezone",
"description" : "Timezone used by the device"
}
}
},
"plugins" : {
"type" : "object",
"properties" : {
"installedPlugins" : {
"type" : "string",
"title" : "Installed plugins",
"description" : "Installed plugins on the device"
}
}
},
"fonts" : {
"type" : "object",
"properties" : {
"installedFonts" : {
"type" : "string",
"title" : "Installed fonts",
"description" : "Installed fonts on the device"
}
}
},
"userAgent" : {
"type" : "string",
"title" : "User agent",
"description" : "User Agent"
},
"appName" : {
"type" : "string",
"title" : "Application name",
"description" : "Application name"
},
"appCodeName" : {
"type" : "string",
"title" : "Application code name",
"description" : "Application code name"
},
"appVersion" : {
"type" : "string",
"title" : "Application version",
"description" : "Application version"
},
"buildID" : {
"type" : "string",
"title" : "Build ID",
"description" : "Application build ID"
},
"platform" : {
"type" : "string",
"title" : "Platform",
"description" : "Device platform"
},
"oscpu" : {
"type" : "string",
"title" : "OSCPU",
"description" : "String that identifies the current operating system"
},
"product" : {
"type" : "string",
"title" : "Product",
"description" : "Product"
},
"productSub" : {
"type" : "string",
"title" : "Product sub",
"description" : "Product sub"
},
"language" : {
"type" : "string",
"title" : "Language",
"description" : "Device default language"
},
"geolocation" : {
"type" : "object",
"title" : "Geolocation",
"description" : "Device physical location",
"properties" : {
"longitude" : {
"type" : "number",
"title" : "Longitude",
"description" : "Longitude"
},
"latitude" : {
"type" : "number",
"title" : "Latitude",
"description" : "Latitude"
}
}
}
}
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Device name"
},
"selectionCounter" : {
"type" : "integer",
"title" : "Selection counter",
"description" : "Selection counter"
},
"uuid" : {
"type" : "string",
"title" : "Device id",
"description" : "Device unique identifier"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
/users/{user}/devices/trusted/{uuid}
1.0
Trusted devices service is responsible for querying and deleting trusted devices.
Delete
Delete trusted user device
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The id of the user device |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "User devices schema that is used for push authentication devices, trusted user devices and OATH user devices",
"type" : "object",
"title" : "User devices schema",
"properties" : {
"lastSelectedDate" : {
"type" : "string",
"title" : "Last selected date",
"description" : "Date when the device was selected last time"
},
"devicePrint" : {
"type" : "object",
"properties" : {
"screen" : {
"type" : "object",
"title" : "Device screen properties",
"description" : "Device screen properties",
"properties" : {
"screenWidth" : {
"type" : "integer",
"title" : "Screen width",
"description" : "Devices screen width"
},
"screenHeight" : {
"type" : "integer",
"title" : "Screen height",
"description" : "Device screen height"
},
"screenColourDepth" : {
"type" : "integer",
"title" : "Screen colour depth",
"description" : "Device screen colour depth"
}
}
},
"timezone" : {
"type" : "object",
"properties" : {
"timezone" : {
"type" : "integer",
"title" : "Timezone",
"description" : "Timezone used by the device"
}
}
},
"plugins" : {
"type" : "object",
"properties" : {
"installedPlugins" : {
"type" : "string",
"title" : "Installed plugins",
"description" : "Installed plugins on the device"
}
}
},
"fonts" : {
"type" : "object",
"properties" : {
"installedFonts" : {
"type" : "string",
"title" : "Installed fonts",
"description" : "Installed fonts on the device"
}
}
},
"userAgent" : {
"type" : "string",
"title" : "User agent",
"description" : "User Agent"
},
"appName" : {
"type" : "string",
"title" : "Application name",
"description" : "Application name"
},
"appCodeName" : {
"type" : "string",
"title" : "Application code name",
"description" : "Application code name"
},
"appVersion" : {
"type" : "string",
"title" : "Application version",
"description" : "Application version"
},
"buildID" : {
"type" : "string",
"title" : "Build ID",
"description" : "Application build ID"
},
"platform" : {
"type" : "string",
"title" : "Platform",
"description" : "Device platform"
},
"oscpu" : {
"type" : "string",
"title" : "OSCPU",
"description" : "String that identifies the current operating system"
},
"product" : {
"type" : "string",
"title" : "Product",
"description" : "Product"
},
"productSub" : {
"type" : "string",
"title" : "Product sub",
"description" : "Product sub"
},
"language" : {
"type" : "string",
"title" : "Language",
"description" : "Device default language"
},
"geolocation" : {
"type" : "object",
"title" : "Geolocation",
"description" : "Device physical location",
"properties" : {
"longitude" : {
"type" : "number",
"title" : "Longitude",
"description" : "Longitude"
},
"latitude" : {
"type" : "number",
"title" : "Latitude",
"description" : "Latitude"
}
}
}
}
},
"name" : {
"type" : "string",
"title" : "Name",
"description" : "Device name"
},
"selectionCounter" : {
"type" : "integer",
"title" : "Selection counter",
"description" : "Selection counter"
},
"uuid" : {
"type" : "string",
"title" : "Device id",
"description" : "Device unique identifier"
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the process |
/users/{user}/groups
1.0
The User Groups resource allows an admin to query which groups a particular user belongs to. The only supported method is query
Action: updateMemberships
| Stability | MVCC |
|---|---|
STABLE |
✓ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"title" : "User groups schema",
"type" : "object",
"properties" : {
"groups" : {
"type" : "array",
"title" : "Name",
"description" : "The name of the group",
"items" : {
"type" : "string"
}
}
}
}
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"title" : "User groups schema",
"type" : "object",
"properties" : {
"groups" : {
"type" : "array",
"title" : "Name",
"description" : "The name of the group",
"items" : {
"type" : "string"
}
}
}
}
Query by Filter
Query the user’s groups
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"title" : "User groups schema",
"type" : "object",
"properties" : {
"groups" : {
"type" : "array",
"title" : "Name",
"description" : "The name of the group",
"items" : {
"type" : "string"
}
}
}
}
| Code | Description |
|---|---|
|
Unexpected server error happened during the query |
/users/{user}/oauth2/applications
1.0
This endpoint exposes a list of all the applications (clients) that the user authorized using OAuth 2.0. Access for those applications can then be revoked on a per-client basis.
Query by Filter
Get a list of the applications that have been granted OAuth 2.0 access. Only _queryFilter=true is supported.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Client ID",
"description" : "The OAuth 2.0 client ID for the application."
},
"name" : {
"type" : "string",
"title" : "Display Name",
"description" : "The human-readable display name for the OAuth 2.0 client"
},
"expiryDateTime" : {
"type" : "string",
"title" : "Expiry Time",
"description" : "When the tokens will currently expire (may be null)."
},
"scopes" : {
"type" : "object",
"title" : "Scopes",
"description" : "The total set of scopes granted to the application.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Scope Descriptions",
"description" : "The human-readable descriptions for the scope values."
}
}
}
}
}
| Code | Description |
|---|---|
|
Returned if the list of applications cannot be produced due to an internal error. |
/users/{user}/oauth2/applications/{clientId}
1.0
This endpoint exposes a list of all the applications (clients) that the user authorized using OAuth 2.0. Access for those applications can then be revoked on a per-client basis.
Delete
Delete the tokens for the specified client ID.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The OAuth 2.0 client ID for the application. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Client ID",
"description" : "The OAuth 2.0 client ID for the application."
},
"name" : {
"type" : "string",
"title" : "Display Name",
"description" : "The human-readable display name for the OAuth 2.0 client"
},
"expiryDateTime" : {
"type" : "string",
"title" : "Expiry Time",
"description" : "When the tokens will currently expire (may be null)."
},
"scopes" : {
"type" : "object",
"title" : "Scopes",
"description" : "The total set of scopes granted to the application.",
"patternProperties" : {
".*" : {
"type" : "string",
"title" : "Scope Descriptions",
"description" : "The human-readable descriptions for the scope values."
}
}
}
}
}
| Code | Description |
|---|---|
|
Returned if the list of applications cannot be produced due to an internal error. |
/users/{user}/oauth2/resources/labels
1.0
Provides create, delete and query operations for UMA resource set labels
Create
Creates a UMA Resource Set Label
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
✓ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "Represents a UMA Resource Set Label",
"id" : "urn:jsonschema:org:forgerock:openam:oauth2:resources:labels:ResourceSetLabel",
"type" : "object",
"title" : "UMA Resource Set Label",
"properties" : {
"id" : {
"type" : "string",
"description" : "The unique identifier of the resource set label",
"title" : "Id"
},
"name" : {
"type" : "string",
"description" : "The displayed text of the label",
"title" : "Name"
},
"type" : {
"type" : "string",
"description" : "The type of the label e.g. 'System'",
"title" : "Type",
"enum" : [ "STAR", "USER", "SYSTEM" ]
},
"resourceSetIds" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
| Code | Description |
|---|---|
|
Occurs if the label already exists |
|
Occurs if openAM is unable to get a connection to the data layer |
Query by Filter
Queries the collection of UMA labels
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Represents a UMA Resource Set Label",
"id" : "urn:jsonschema:org:forgerock:openam:oauth2:resources:labels:ResourceSetLabel",
"type" : "object",
"title" : "UMA Resource Set Label",
"properties" : {
"id" : {
"type" : "string",
"description" : "The unique identifier of the resource set label",
"title" : "Id"
},
"name" : {
"type" : "string",
"description" : "The displayed text of the label",
"title" : "Name"
},
"type" : {
"type" : "string",
"description" : "The type of the label e.g. 'System'",
"title" : "Type",
"enum" : [ "STAR", "USER", "SYSTEM" ]
},
"resourceSetIds" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
/users/{user}/oauth2/resources/labels/{umaLabelId}
1.0
Provides create, delete and query operations for UMA resource set labels
Create
Creates a UMA Resource Set Label
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
✓ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the UMA Resource Set is regarding. |
✓ |
|
|
|
|
The unique identifier of the UMA Resource Set |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"description" : "Represents a UMA Resource Set Label",
"id" : "urn:jsonschema:org:forgerock:openam:oauth2:resources:labels:ResourceSetLabel",
"type" : "object",
"title" : "UMA Resource Set Label",
"properties" : {
"id" : {
"type" : "string",
"description" : "The unique identifier of the resource set label",
"title" : "Id"
},
"name" : {
"type" : "string",
"description" : "The displayed text of the label",
"title" : "Name"
},
"type" : {
"type" : "string",
"description" : "The type of the label e.g. 'System'",
"title" : "Type",
"enum" : [ "STAR", "USER", "SYSTEM" ]
},
"resourceSetIds" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
| Code | Description |
|---|---|
|
Occurs if the label already exists |
|
Occurs if openAM is unable to get a connection to the data layer |
Delete
Deletes a UMA Resource Set Label
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the UMA Resource Set is regarding. |
✓ |
|
|
|
|
The unique identifier of the UMA Resource Set |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Represents a UMA Resource Set Label",
"id" : "urn:jsonschema:org:forgerock:openam:oauth2:resources:labels:ResourceSetLabel",
"type" : "object",
"title" : "UMA Resource Set Label",
"properties" : {
"id" : {
"type" : "string",
"description" : "The unique identifier of the resource set label",
"title" : "Id"
},
"name" : {
"type" : "string",
"description" : "The displayed text of the label",
"title" : "Name"
},
"type" : {
"type" : "string",
"description" : "The type of the label e.g. 'System'",
"title" : "Type",
"enum" : [ "STAR", "USER", "SYSTEM" ]
},
"resourceSetIds" : {
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
| Code | Description |
|---|---|
|
Occurs if either no label exists with the specified ID, or the e-tag doesn’t match |
/users/{user}/oauth2/resources/sets
1.0
Resource set resource provider is responsible for managing Resource Sets belonging to a user. Available operations are update, query, read, revoke all action.
Query by Filter
Query the collection of the user’s Resource Set.
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the structure of the OpenAM representation of a user's OAuth Resource Set. For further information see [insert link to the RSR standard], and documentation about UMA in OpenAM.",
"type" : "object",
"title" : "Resource Set resource schema",
"properties" : {
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "List of Resource Set scopes.",
"items" : {
"type" : "string"
}
},
"_id" : {
"type" : "string",
"title" : "Resource set id",
"description" : "Unique identifier of the Resource Set."
},
"resourceServer" : {
"type" : "string",
"title" : "Resource server",
"description" : "The resources server name."
},
"labels" : {
"type" : "array",
"title" : "Resource labels",
"description" : "Labels of the resource.",
"items" : {
"type" : "string"
}
},
"name" : {
"type" : "string",
"title" : "Resource name",
"description" : "Name of the resource."
},
"icon_uri" : {
"type" : "string",
"title" : "Icon uri",
"description" : "Resource icon uri."
},
"resourceOwnerId" : {
"type" : "string",
"title" : "Resource owner",
"description" : "Name of the resource owner."
},
"type" : {
"type" : "string",
"title" : "Resource type",
"description" : "Type of the resources."
}
}
}
| Code | Description |
|---|---|
|
Invalid query. |
|
The required query with the given parameters is not supported. |
|
An internal error occurred. Causes may be one of: * Could not get connection * Could not complete search * Unexpected LDAP result type |
/users/{user}/oauth2/resources/sets/{resourceSetId}
1.0
Resource set resource provider is responsible for managing Resource Sets belonging to a user. Available operations are update, query, read, revoke all action.
Read
Read Resource Set from the collection by id.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
Unique identifier of the Resource Set. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the structure of the OpenAM representation of a user's OAuth Resource Set. For further information see [insert link to the RSR standard], and documentation about UMA in OpenAM.",
"type" : "object",
"title" : "Resource Set resource schema",
"properties" : {
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "List of Resource Set scopes.",
"items" : {
"type" : "string"
}
},
"_id" : {
"type" : "string",
"title" : "Resource set id",
"description" : "Unique identifier of the Resource Set."
},
"resourceServer" : {
"type" : "string",
"title" : "Resource server",
"description" : "The resources server name."
},
"labels" : {
"type" : "array",
"title" : "Resource labels",
"description" : "Labels of the resource.",
"items" : {
"type" : "string"
}
},
"name" : {
"type" : "string",
"title" : "Resource name",
"description" : "Name of the resource."
},
"icon_uri" : {
"type" : "string",
"title" : "Icon uri",
"description" : "Resource icon uri."
},
"resourceOwnerId" : {
"type" : "string",
"title" : "Resource owner",
"description" : "Name of the resource owner."
},
"type" : {
"type" : "string",
"title" : "Resource type",
"description" : "Type of the resources."
}
}
}
| Code | Description |
|---|---|
|
An internal error occurred. Causes may be one of: * Could not get connection * Could not complete search * Unexpected LDAP result type |
Update
Update a Resource Set record.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
Unique identifier of the Resource Set. |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Describes the structure of the OpenAM representation of a user's OAuth Resource Set. For further information see [insert link to the RSR standard], and documentation about UMA in OpenAM.",
"type" : "object",
"title" : "Resource Set resource schema",
"properties" : {
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "List of Resource Set scopes.",
"items" : {
"type" : "string"
}
},
"_id" : {
"type" : "string",
"title" : "Resource set id",
"description" : "Unique identifier of the Resource Set."
},
"resourceServer" : {
"type" : "string",
"title" : "Resource server",
"description" : "The resources server name."
},
"labels" : {
"type" : "array",
"title" : "Resource labels",
"description" : "Labels of the resource.",
"items" : {
"type" : "string"
}
},
"name" : {
"type" : "string",
"title" : "Resource name",
"description" : "Name of the resource."
},
"icon_uri" : {
"type" : "string",
"title" : "Icon uri",
"description" : "Resource icon uri."
},
"resourceOwnerId" : {
"type" : "string",
"title" : "Resource owner",
"description" : "Name of the resource owner."
},
"type" : {
"type" : "string",
"title" : "Resource type",
"description" : "Type of the resources."
}
}
}
| Code | Description |
|---|---|
|
Error validating the request context for the update. |
|
An internal error occurred. Causes may be one of: * Could not get connection * Could not complete search * Unexpected LDAP result type |
/users/{user}/policies
1.0
The User Policy resource endpoint is responsible for managing a user’s policies. The available operations are create, read, update, delete, query. Policies are realm specific, hence the URI for the policies API can contain a realm component. If the realm is not specified in the URI, the top level realm is used.
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
⃠ |
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Query by Filter
Query the stored policies
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
/users/{user}/policies/{resourceId}
1.0
The User Policy resource endpoint is responsible for managing a user’s policies. The available operations are create, read, update, delete, query. Policies are realm specific, hence the URI for the policies API can contain a realm component. If the realm is not specified in the URI, the top level realm is used.
Create
Create new policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user that owns the policies. |
✓ |
|
|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
Read
Read policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user that owns the policies. |
✓ |
|
|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
Update
Update an existing policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user that owns the policies. |
✓ |
|
|
|
|
The unique identifier of the policy |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Not Found error. The cause can be the following: * The Policy cannot be found * The required resource type cannot be found |
Delete
Delete policy
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user that owns the policies. |
✓ |
|
|
|
|
The unique identifier of the policy |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Json schema for the policy resource",
"title" : "Policy Resource Schema",
"type" : "object",
"properties" : {
"name" : {
"title" : "Name",
"description" : "String matching the name of the application",
"type" : "string"
},
"active" : {
"title" : "Active flag",
"description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
"type" : "boolean"
},
"description" : {
"title" : "Description",
"description" : "String describing the policy",
"type" : "string"
},
"applicationName" : {
"title" : "Application name",
"description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
"type" : "string"
},
"actionValues" : {
"title" : "Action values",
"description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
"type" : "object",
"additionalProperties" : {
"type" : "boolean"
}
},
"resources" : {
"title" : "Resources",
"description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
"type" : "array",
"items" : {
"type" : "string"
}
},
"subject" : {
"title" : "Subject",
"description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
"type" : "object"
},
"condition" : {
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"type" : "object",
"properties" : {
"type" : {
"type" : "string"
},
"conditions" : {
"type" : "array",
"title" : "Condition",
"description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
"items" : {
"type" : "object"
}
}
}
},
"resourceTypeUuid" : {
"title" : "Resource Type UUID",
"description" : "The UUIDs of the resource type associated with the policy",
"type" : "string"
},
"resourceAttributes" : {
"title" : "Resource Attributes",
"description" : "List of attributes to return with decisions. These attributes are known as response attributes",
"type" : "array",
"items" : {
"type" : "object"
}
},
"lastModifiedBy" : {
"title" : "Last Modified By",
"description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
"type" : "string"
},
"lastModifiedDate" : {
"title" : "Last Modified date",
"description" : "An integer containing the last modified date and time, in number of seconds",
"type" : "string"
},
"createdBy" : {
"title" : "Created By",
"description" : "A string containing the universal identifier DN of the subject that created the policy",
"type" : "string"
},
"creationDate" : {
"title" : "Creation Date",
"description" : "An integer containing the creation date and time, in number of seconds",
"type" : "string"
}
}
}
| Code | Description |
|---|---|
|
Bad request error. The cause can be the following: * Missing privilege name * Invalid json provided in the request * Invalid value found in json * Invalid policy name provided in json * Resource name and JSON body name do not match * Query id missing UID * Invalid query id * Invalid search filter * Empty privilege name * Entitlement value was NULL * No resource type was expected * Policy defines invalid resource type * The provided resourceId does not match to the UUID in the json file |
|
Permission Denied to access or create policy |
/users/{user}/services
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object"
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Action: unassignServices
action.unassignServices.description
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request resource that conforms to the following schema:
{
"description" : "i18n:api-descriptor/UserServicesResource#schema.description",
"type" : "object",
"title" : "i18n:api-descriptor/UserServicesResource#schema.title",
"properties" : {
"serviceNames" : {
"type" : "array",
"title" : "i18n:api-descriptor/UserServicesResource#schema.servicename.title",
"description" : "i18n:api-descriptor/UserServicesResource#schema.servicename.description",
"items" : {
"type" : "string"
}
}
}
}
/users/{user}/services/dashboard
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Assigned Dashboard",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Assigned Dashboard",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Assigned Dashboard",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"assignedDashboard" : {
"title" : "Assigned Dashboard",
"propertyOrder" : 800,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Action: unassignServices
action.unassignServices.description
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request resource that conforms to the following schema:
{
"description" : "i18n:api-descriptor/UserServicesResource#schema.description",
"type" : "object",
"title" : "i18n:api-descriptor/UserServicesResource#schema.title",
"properties" : {
"serviceNames" : {
"type" : "array",
"title" : "i18n:api-descriptor/UserServicesResource#schema.servicename.title",
"description" : "i18n:api-descriptor/UserServicesResource#schema.servicename.description",
"items" : {
"type" : "string"
}
}
}
}
/users/{user}/services/session
1.0
Create
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
⃠ |
Assigned by server (do not supply) |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iplanet-am-session-max-idle-time" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-quota-limit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-session-time" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-caching-time" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Read
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iplanet-am-session-max-idle-time" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-quota-limit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-session-time" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-caching-time" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Update
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iplanet-am-session-max-idle-time" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-quota-limit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-session-time" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-caching-time" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Delete
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"type" : "object",
"properties" : {
"iplanet-am-session-max-idle-time" : {
"title" : "Maximum Idle Time",
"description" : "Maximum time a stateful session can remain idle before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 200,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-quota-limit" : {
"title" : "Active User Sessions",
"description" : "Maximum number of concurrent stateful sessions OpenAM allows a user to have.",
"propertyOrder" : 800,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-session-time" : {
"title" : "Maximum Session Time",
"description" : "Maximum time a session can remain valid before OpenAM requires the user to authenticate again, in minutes.",
"propertyOrder" : 100,
"required" : true,
"type" : "integer"
},
"iplanet-am-session-max-caching-time" : {
"title" : "Maximum Caching Time",
"description" : "Maximum time before OpenAM refreshes a session that has been cached, in minutes.",
"propertyOrder" : 300,
"required" : true,
"type" : "integer"
}
}
}
Action: getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A collection of type objects in response to the request",
"type" : "object",
"title" : "Types response",
"properties" : {
"result" : {
"type" : "array",
"title" : "Results",
"description" : "The array of type results",
"items" : {
"$ref" : "#/definitions/restsms.type"
}
}
}
}
Action: nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "The collection of next descendents beneath this endpoint",
"type" : "object",
"title" : "Next Descendents response",
"properties" : {
"result" : {
"type" : "array",
"items" : {
"type" : "object",
"title" : "Item",
"description" : "A single descendent item",
"properties" : {
"_id" : {
"type" : "string",
"title" : "ID",
"description" : "The identifier of the item within its type"
},
"_type" : {
"$ref" : "#/definitions/restsms.type"
}
},
"additionalProperties" : {
"type" : "any",
"title" : "Other properties",
"description" : "Any additional properties for the item (varies based on the schema of the type)"
}
}
}
}
}
Action: unassignServices
action.unassignServices.description
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The user’s username |
|
This operation takes a request resource that conforms to the following schema:
{
"description" : "i18n:api-descriptor/UserServicesResource#schema.description",
"type" : "object",
"title" : "i18n:api-descriptor/UserServicesResource#schema.title",
"properties" : {
"serviceNames" : {
"type" : "array",
"title" : "i18n:api-descriptor/UserServicesResource#schema.servicename.title",
"description" : "i18n:api-descriptor/UserServicesResource#schema.servicename.description",
"items" : {
"type" : "string"
}
}
}
}
/users/{user}/uma/auditHistory
1.0
Provides access to UMA auditing history for a user
Action: getHistory
Returns the audit history of a user
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation returns a response resource that conforms to the following schema:
{
"type" : "array",
"items" : {
"type" : "object",
"id" : "urn:jsonschema:org:forgerock:openam:sm:datalayer:impl:uma:UmaAuditEntry",
"description" : "Describes an event for uma auditing",
"title" : "An Uma audit entry",
"properties" : {
"id" : {
"type" : "string",
"description" : "The user's unique ID",
"title" : "Unique user ID"
},
"resourceSetId" : {
"type" : "string",
"description" : "The ID of the resource set",
"title" : "Resource set ID"
},
"resourceSetName" : {
"type" : "string",
"description" : "The name of the resource set",
"title" : "Resource set name"
},
"requestingPartyName" : {
"type" : "string",
"description" : "The name of the requesting party",
"title" : "Requesting party name"
},
"type" : {
"type" : "string",
"description" : "The type of event",
"title" : "Type"
},
"resourceOwnerId" : {
"type" : "string",
"description" : "The ID of the resource owner",
"title" : "Resource owner ID"
},
"eventTime" : {
"type" : "string",
"description" : "The timestamp when the event occurred",
"title" : "Event timestamp",
"format" : "date-time"
}
}
}
}
Query by Filter
Queries the collection of auditing history
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"description" : "Describes an event for uma auditing",
"id" : "urn:jsonschema:org:forgerock:openam:sm:datalayer:impl:uma:UmaAuditEntry",
"type" : "object",
"title" : "An Uma audit entry",
"properties" : {
"id" : {
"type" : "string",
"description" : "The user's unique ID",
"title" : "Unique user ID"
},
"resourceSetId" : {
"type" : "string",
"description" : "The ID of the resource set",
"title" : "Resource set ID"
},
"resourceSetName" : {
"type" : "string",
"description" : "The name of the resource set",
"title" : "Resource set name"
},
"requestingPartyName" : {
"type" : "string",
"description" : "The name of the requesting party",
"title" : "Requesting party name"
},
"type" : {
"type" : "string",
"description" : "The type of event",
"title" : "Type"
},
"resourceOwnerId" : {
"type" : "string",
"description" : "The ID of the resource owner",
"title" : "Resource owner ID"
},
"eventTime" : {
"type" : "string",
"description" : "The timestamp when the event occurred",
"title" : "Event timestamp",
"format" : "date-time"
}
}
}
| Code | Description |
|---|---|
|
Occurs if openAM is unable to query the audit history |
/users/{user}/uma/pendingrequests
1.0
Pending UMA requests provider is responsible for allowing, denying and querying the guest requests for user resources. Awailable actions are Query, Read, Deny (all requests or one request), Approve (all requests or one request)
Action: approveAll
Approve every pending requests and grant access to the requesting user.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Approve action request schema.",
"type" : "object",
"title" : "Approve action request schema",
"properties" : {
"scopes" : {
"type" : "array",
"title" : "Approve request scopes",
"description" : "The list of the scopes the requesting user gets access to.",
"items" : {
"type" : "string"
}
}
},
"required" : [ "scopes" ]
}
| Code | Description |
|---|---|
|
Failed to read pending request, pending request not found. |
Action: denyAll
Deny every pending requests and deny access of the requesting user.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Code | Description |
|---|---|
|
Action is not supported |
|
Failed to read pending request, pending request not found. |
Query by Filter
Query the collection of pending requests.
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
⃠ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Pending request schema for the user resource access requests.",
"type" : "object",
"title" : "Pending request schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Pending request id",
"description" : "Unique identifier of the pending request."
},
"user" : {
"type" : "string",
"title" : "User requesting access",
"description" : "The user name who is requesting access to the resource."
},
"resource" : {
"type" : "string",
"title" : "Resource name",
"description" : "The resource name which the user requested access to."
},
"when" : {
"type" : "integer",
"title" : "Request time",
"description" : "The time of the user access request."
},
"permissions" : {
"title" : "Permissions",
"description" : "The list of the permissions the user requested.",
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
| Code | Description |
|---|---|
|
Failed to read pending request, pending request not found. |
/users/{user}/uma/pendingrequests/{pendingRequestId}
1.0
Pending UMA requests provider is responsible for allowing, denying and querying the guest requests for user resources. Awailable actions are Query, Read, Deny (all requests or one request), Approve (all requests or one request)
Read
Read pending request
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
Unique identifier of the pending request. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Pending request schema for the user resource access requests.",
"type" : "object",
"title" : "Pending request schema",
"properties" : {
"_id" : {
"type" : "string",
"title" : "Pending request id",
"description" : "Unique identifier of the pending request."
},
"user" : {
"type" : "string",
"title" : "User requesting access",
"description" : "The user name who is requesting access to the resource."
},
"resource" : {
"type" : "string",
"title" : "Resource name",
"description" : "The resource name which the user requested access to."
},
"when" : {
"type" : "integer",
"title" : "Request time",
"description" : "The time of the user access request."
},
"permissions" : {
"title" : "Permissions",
"description" : "The list of the permissions the user requested.",
"type" : "array",
"items" : {
"type" : "string"
}
}
}
}
| Code | Description |
|---|---|
|
Failed to read pending request, pending request not found. |
Action: approve
Approve the pending request and grant access to the requesting user.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
Unique identifier of the pending request. |
✓ |
|
This operation takes a request resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "Approve action request schema.",
"type" : "object",
"title" : "Approve action request schema",
"properties" : {
"scopes" : {
"type" : "array",
"title" : "Approve request scopes",
"description" : "The list of the scopes the requesting user gets access to.",
"items" : {
"type" : "string"
}
}
},
"required" : [ "scopes" ]
}
| Code | Description |
|---|---|
|
Action is not supported |
Action: deny
Deny the pending request and deny access of the requesting user.
| Stability | MVCC |
|---|---|
STABLE |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
Unique identifier of the pending request. |
✓ |
|
| Code | Description |
|---|---|
|
Action is not supported |
|
Failed to read pending request, pending request not found. |
/users/{user}/uma/policies
1.0
Provides create, delete and query operations for UMA Policies
Query by Filter
Queries an UMA Policy
| Stability | MVCC | Queryable Fields |
|---|---|---|
STABLE |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A policy defining who can access a particular resource set",
"type" : "object",
"title" : "UMA Policy",
"properties" : {
"policyId" : {
"type" : "string",
"title" : "Policy ID",
"description" : "The ID must correspond with an existing resource set ID"
},
"permissions" : {
"type" : "array",
"title" : "Permissions",
"description" : "A list of subjects and the scopes they are allowed access to",
"items" : {
"type" : "object",
"properties" : {
"subject" : {
"type" : "string",
"title" : "Subject",
"description" : "The username of the subject"
},
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "The scopes that the user is allowed access to",
"items" : {
"type" : "string"
}
}
}
}
}
}
}
/users/{user}/uma/policies/{resourceId}
1.0
Provides create, delete and query operations for UMA Policies
Create
Creates an UMA Policy
| Stability | MVCC | Resource ID | Singleton |
|---|---|---|---|
STABLE |
✓ |
Assigned by client |
⃠ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The ID of the policy is the same as that of the UMA resource being protected. |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A policy defining who can access a particular resource set",
"type" : "object",
"title" : "UMA Policy",
"properties" : {
"policyId" : {
"type" : "string",
"title" : "Policy ID",
"description" : "The ID must correspond with an existing resource set ID"
},
"permissions" : {
"type" : "array",
"title" : "Permissions",
"description" : "A list of subjects and the scopes they are allowed access to",
"items" : {
"type" : "object",
"properties" : {
"subject" : {
"type" : "string",
"title" : "Subject",
"description" : "The username of the subject"
},
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "The scopes that the user is allowed access to",
"items" : {
"type" : "string"
}
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Occurs if a corresponding resource set doesn’t exist |
|
Occurs if the authenticated user doesn’t own the resource set |
|
Occurs if a policy already exists for the resource set |
|
Occurs if more than one resource set exists with the same ID |
Read
Reads an UMA Policy
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The ID of the policy is the same as that of the UMA resource being protected. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A policy defining who can access a particular resource set",
"type" : "object",
"title" : "UMA Policy",
"properties" : {
"policyId" : {
"type" : "string",
"title" : "Policy ID",
"description" : "The ID must correspond with an existing resource set ID"
},
"permissions" : {
"type" : "array",
"title" : "Permissions",
"description" : "A list of subjects and the scopes they are allowed access to",
"items" : {
"type" : "object",
"properties" : {
"subject" : {
"type" : "string",
"title" : "Subject",
"description" : "The username of the subject"
},
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "The scopes that the user is allowed access to",
"items" : {
"type" : "string"
}
}
}
}
}
}
}
Update
Updates an UMA Policy
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The ID of the policy is the same as that of the UMA resource being protected. |
✓ |
|
This operation takes a request body and returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A policy defining who can access a particular resource set",
"type" : "object",
"title" : "UMA Policy",
"properties" : {
"policyId" : {
"type" : "string",
"title" : "Policy ID",
"description" : "The ID must correspond with an existing resource set ID"
},
"permissions" : {
"type" : "array",
"title" : "Permissions",
"description" : "A list of subjects and the scopes they are allowed access to",
"items" : {
"type" : "object",
"properties" : {
"subject" : {
"type" : "string",
"title" : "Subject",
"description" : "The username of the subject"
},
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "The scopes that the user is allowed access to",
"items" : {
"type" : "string"
}
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Occurs if a corresponding resource set doesn’t exist |
|
Occurs if the authenticated user doesn’t own the resource set |
|
Occurs if more than one resource set exists with the same ID |
Delete
Deletes an UMA Policy
| Stability | MVCC |
|---|---|
STABLE |
✓ |
| Name | Type | Description | Required | In | Values |
|---|---|---|---|---|---|
|
|
The identifier for the user for which the request is regarding. |
✓ |
|
|
|
|
The ID of the policy is the same as that of the UMA resource being protected. |
✓ |
|
This operation returns a response resource that conforms to the following schema:
{
"$schema" : "http://json-schema.org/draft-04/schema#",
"description" : "A policy defining who can access a particular resource set",
"type" : "object",
"title" : "UMA Policy",
"properties" : {
"policyId" : {
"type" : "string",
"title" : "Policy ID",
"description" : "The ID must correspond with an existing resource set ID"
},
"permissions" : {
"type" : "array",
"title" : "Permissions",
"description" : "A list of subjects and the scopes they are allowed access to",
"items" : {
"type" : "object",
"properties" : {
"subject" : {
"type" : "string",
"title" : "Subject",
"description" : "The username of the subject"
},
"scopes" : {
"type" : "array",
"title" : "Scopes",
"description" : "The scopes that the user is allowed access to",
"items" : {
"type" : "string"
}
}
}
}
}
}
}
| Code | Description |
|---|---|
|
Occurs if a corresponding resource set doesn’t exist |
|
Occurs if the policy can’t be found |
|
Occurs if more than one resource set exists with the same ID |